b'Oversight\nReport\n             DEFENSE CONTRACT AUDIT AGENCY\n               QUALITY ASSURANCE PROGRAM\n\n\nReport Number D-2002-6-001              December 6, 2001\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Information and Copies\n\n  To obtain additional copies of this oversight report, visit the Inspector General,\n  DoD, Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary\n  Reports Distribution Unit of the Audit Followup and Technical Support\n  Directorate at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932\n\n  Suggestions for Evaluation\n\n  To suggest ideas for or to request evaluations, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identify of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nAPPS                 Automated Planning and Performance System\nCAM                  DCAA Manual 7640.1, \xe2\x80\x9cDCAA Contract Audit Manual\xe2\x80\x9d\nDCAA                 Defense Contract Audit Agency\nESC                  Executive Steering Committee\nFAO                  Field Audit Office\nGAS                  Government Auditing Standards\nICAPS                Internal Control Audit Planning Summary\nMRD                  Memorandum for Regional Directors\nPCIE                 President\xe2\x80\x99s Council on Integrity and Efficiency\nRQA                  Regional Quality Assurance Division\nSAS                  Statement on Auditing Standards\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2002-6-001                                              December 6, 2001\n  Project No. D2000OA-0238\n\n                        Defense Contract Audit Agency\n                         Quality Assurance Program\n\n                                Executive Summary\n\nIntroduction. This is the first in a series of reports on the Defense Contract Audit\nAgency quality assurance program. The Defense Contract Audit Agency internal\nquality control system is implemented at all levels of the organization and is\nmulti-functional, covering elements of vulnerability assessment, internal control review,\nexternal audit followup, audit quality review, and management improvement efforts.\nThe \xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d June 1994, issued by the Comptroller General\nof the United States, requires that each audit organization have an appropriate quality\ncontrol system. For FY 2000, the Defense Contract Audit Agency completed\n41,722 reviews, valued at $194.8 billion, with net savings of $2.4 billion. The Defense\nContract Audit Agency incurred $364.3 million in total operating costs to provide the\naudit services.\n\nObjectives. The objective for this evaluation was to review the Defense Contract Audit\nAgency\xe2\x80\x99s quality assurance program and to assess how the Defense Contract Audit\nAgency performed the internal quality assurance review of forward pricing\nassignments, which was the first agency-wide review conducted by the new\nheadquarters Quality Assurance Division. Subsequent evaluations will assess how the\nDefense Contract Audit Agency performs internal quality assurance reviews of internal\ncontrol reviews and incurred cost audits, as well as all other assignments.\n\nResults. The Defense Contract Audit Agency quality assurance program incorporates\nmany of the elements needed for an effective review of an internal quality control\nsystem. Since the program was announced in October 1998, the Defense Contract\nAudit Agency has been refining its quality assurance program to include the\nfundamental elements of a mature program. The Defense Contract Audit Agency can\nimprove the capability of the program to provide a thorough agency-wide evaluation of\nwhether its audits are performed in compliance with auditing standards and Defense\nContract Audit Agency policies and procedures by implementing recommended actions,\nsuggested improvements, and enhancements (finding A).\n\nThe Defense Contract Audit Agency selected forward pricing assignments as the first\ncategory of audits to be reviewed. The internal quality assurance review of forward\npricing assignments identified some areas needing improvement for which the Defense\nContract Audit Agency had either implemented or initiated corrective action. To\nresolve the remaining issues, the Defense Contract Audit Agency should revise\n\x0cguidance on the delegating authority to sign audit reports and documenting reliance on\ndata from computer-based systems. Timely resolution of issues will ensure that the\nDefense Contract Audit Agency internal quality assurance program is effective\n(finding B).\n\nThe Defense Contract Audit Agency used a checklist it developed based on the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency \xe2\x80\x9cGuide for Conducting External Quality\nControl Reviews of the Audit Operations of Offices of Inspector General,\xe2\x80\x9d April 1997,\nto document its internal quality assurance review of the individual forward pricing\nassignments. However, the documents generated by the quality assurance staff did not\ncompletely explain the work performed or fully document conclusions reached. In\naddition, the Quality Assurance Division did not fully evaluate whether the reviewed\naudits met certain auditing standards. The Defense Contract Audit Agency needs to\nmodify its procedures for future internal quality assurance reviews so an external\nreviewer can place greater reliance on the Defense Contract Audit Agency work when\nconducting oversight reviews. If the Defense Contract Audit Agency adequately\ndocuments the internal quality assurance reviews, the external reviewers may use the\nresults as direct evidence to support its overall opinion of the internal quality assurance\nprogram (finding C).\n\nSummary of Recommendations. We recommend that the Defense Contract Audit\nAgency formalize its policies and procedures for conducting internal quality assurance\nreviews before starting the next review; monitor the internal quality assurance program\nto ensure that the program is completed as planned during the 3-year cycle;\ninstitutionalize formal procedures for tracking corrective actions to include timely\nimplementation; and conduct independent reviews of all the field audit offices within\nthe 3-year cycle. In addition, we recommend revising policy to prohibit supervisory\nauditors, when acting as field audit office managers, from signing audit reports issued\non audit assignments they supervised as well as issuing clarifying guidance for\ndocumenting reliance on data from computer-based systems.\n\nWe recommend that the Defense Contract Audit Agency sufficiently document all\nauditor conclusions when performing internal quality assurance reviews. In addition,\nwe recommend revising checklist questions to more fully assess reliance on data from\ncomputer-based systems, the understanding of internal controls, and cross-referencing\nof draft reports; revising the standard audit programs for forward pricing assignments\nto include audit steps that address assessment of audit risk; modifying agency guidance\nto provide additional guidance on proper cross-referencing of reports; and establishing\ncriteria for rating field audit offices.\n\nManagement Comments. The Defense Contract Audit Agency generally concurred\nwith the recommendations to formalize its policies and procedures; monitor the\nprogram to ensure that it is completed as planned; institutionalize formal procedures for\ntracking corrective actions; conduct independent reviews of all the field audit offices;\nissue clarifying guidance for documenting reliance on data from computer-based\nsystems; consider revising checklist questions; revise the standard audit programs;\nmodify guidance on proper cross-referencing of reports; and establishing rating criteria.\n\n\n\n\n                                            ii\n\x0cThe Defense Contract Audit Agency nonconcurred with conducting an independent\nreview of Field Detachment, stating that to appropriately plan, supervise, analyze, and\nreport the results would require that several additional personnel obtain the appropriate\nsecurity clearances. The Defense Contract Audit Agency nonconcurred with revising\npolicy on delegation of signature authority, stating that precluding an acting field audit\noffice manager from signing his or her own reports when required by the circumstances\nwould further complicate an already complex policy without significant benefit. The\nDefense Contract Audit Agency nonconcurred with sufficiently documenting all auditor\nconclusions that do not identify a deficiency, stating that it would not be prudent to\ncommit the limited quality assurance resources to providing sufficient documentation in\nsupport of all determinations of compliance with a given auditing standard or element\nof agency policy.\n\nA discussion of management comments to the findings is in Appendix B. A discussion\nof management comments to the recommendations is in the Findings section of the\nreport and the complete text is in the Management Comments section.\n\nEvaluation Response. The Defense Contract Audit Agency comments are generally\nresponsive. However, we do not fully agree with their positions on conducting an\nindependent review of Field Detachment, revising policy on delegation of signature\nauthority, and sufficiently documenting auditor conclusions. On conducting an\nindependent review of Field Detachment, we believe that such a review is still\nnecessary. On revising policy on delegation of signature authority, our position is that\nrequiring the independent review of audit reports deemed sensitive by Defense Contract\nAudit Agency management is an important management control procedure and helps\nensure that higher level managers are satisfied with the overall quality of the product\nand that the message is sound, addresses the objectives, and meets customer needs. On\nsufficiently documenting all auditor conclusions, our position is that for an external\nreviewer to understand how the quality assurance reviewer concluded that a particular\nstandard was complied with requires some indication of the reviewer thought process\nand the documentation that led him to such a conclusion. In addition, for the external\nreviewer, an internal quality assurance reviewer conclusion that auditing standards are\nmet is as significant as a conclusion that standards are not met. For us to place\nmaximum reliance on Defense Contract Audit Agency work, we need an audit trail\nfrom significant findings and conclusions discussed in trip reports to the working papers\nthat support them. We request that the Defense Contract Audit Agency provide\ncomments to the final report by February 4, 2002.\n\n\n\n\n                                            iii\n\x0cTable of Contents\n\nExecutive Summary                                                             i\n\n\nIntroduction\n     Background                                                               1\n     Objectives                                                               3\n\nFindings\n     A. Defense Contract Audit Agency Quality Assurance Program               4\n     B. Internal Quality Assurance Review of Forward Pricing Assignments     19\n     C. Implementation of the Internal Quality Assurance Review of Forward\n          Pricing Assignments                                                28\n\nAppendixes\n     A. Evaluation Process\n         Scope                                                               46\n         Methodology                                                         46\n         Prior Coverage                                                      47\n     B. Management Comments on the Findings and Evaluation Response          48\n     C. Report Distribution                                                  53\n\nManagement Comments\n     Defense Contract Audit Agency                                           55\n\x0cBackground\n            This is the first in a series of reports on the Defense Contract Audit Agency\n            (DCAA) quality assurance program. The \xe2\x80\x9cGovernment Auditing Standards\xe2\x80\x9d\n            (GAS), issued by the Comptroller General of the United States, requires that\n            each audit organization have an appropriate quality control system. The\n            organization\xe2\x80\x99s internal quality control system should provide reasonable\n            assurance that it has adopted and is following applicable auditing standards and\n            has established and is following adequate auditing policies and procedures.\n\n            President\xe2\x80\x99s Council on Integrity and Efficiency. The President\xe2\x80\x99s Council on\n            Integrity and Efficiency (PCIE) was established to identify, review, and discuss\n            areas of weakness and vulnerability in Federal programs and operations; to\n            develop plans for coordinated, Government-wide activities that address those\n            issues; and to promote economy and efficiency in Federal programs and\n            operations. As part of that mandate, the PCIE developed the \xe2\x80\x9cGuide for\n            Conducting External Quality Control Reviews of the Audit Operations of\n            Offices of Inspector General\xe2\x80\x9d (PCIE Guide), April 1997, as a tool to promote\n            consistency in conducting quality control reviews in accordance with GAS. The\n            PCIE Guide is advisory and is not intended to replace a reviewer\xe2\x80\x99s professional\n            judgment regarding the approach or scope of a review. The PCIE Guide\n            includes a variety of checklists that organizations can use as tools when\n            conducting quality control reviews.\n\n            DCAA Organization and Functions. DoD Directive 5105.38, \xe2\x80\x9cDefense\n            Contract Audit Agency,\xe2\x80\x9d June 9, 1965, established DCAA as a separate\n            organization under the direction, authority, and control of the Under Secretary\n            of Defense (Comptroller).1 The primary mission of DCAA is to perform\n            contract audits for DoD. In addition, DCAA is responsible for providing\n            accounting and financial advisory services regarding contracts and subcontracts\n            to DoD Components that perform procurement and contract administration\n            duties. Also, DCAA provides contract audit services for non-DoD Federal\n            organizations on a reimbursable basis. For FY 2000, DCAA completed\n            41,722 reviews, valued at $194.8 billion,2 with net savings of $2.4 billion.\n            DCAA incurred $364.3 million in total operating costs to provide the audit\n            services. DCAA audit guidance is contained in DCAA Manual 7640.1,\n            \xe2\x80\x9cDCAA Contract Audit Manual\xe2\x80\x9d (CAM).3 Specifically, CAM Section 2-101\n            states that GAS is applicable to DCAA. DCAA ensures compliance with the\n            applicable auditing standards throughout audit planning and performance\n            activities by supplementing audit guidance in the CAM with standard audit\n            programs and internal control matrices. Between CAM updates, DCAA\n\n\n1\n    Formerly the Assistant Secretary of Defense (Comptroller).\n2\n    The amount represents dollars examined or reviewed by DCAA for forward pricing assignments,\n    incurred cost audits, and special audits (for example, terminations, claims, and Government facility\n    rentals).\n3\n    DCAA Manual 7640.1 is updated every six months. As of November 2000, the most recent version is\n    July 2001.\n                                                       1\n\x0c           headquarters notifies managers of new and revised audit guidance by issuing\n           Memorandums for Regional Directors (MRD) that are usually incorporated in\n           the next CAM update.\n\n           DCAA Quality Assurance Program. DCAA MRD 98-P-147(R),\n           \xe2\x80\x9cEstablishment of Quality Assurance Division,\xe2\x80\x9d October 23, 1998, established a\n           Quality Assurance Division at DCAA headquarters and in each of the five\n           regions and Field Detachment.4 The headquarters and Regional/Field\n           Detachment Quality Assurance Divisions are responsible for developing and\n           executing an agency-wide program to provide reasonable assurance that DCAA\n           has adopted and follows applicable auditing standards, and has established and\n           follows adequate auditing policies and procedures. Additional functions include\n           assessing the need for new or revised guidance, supporting external quality\n           control reviews, accompanying external auditors on field visits, serving on\n           process action teams, assisting in responding to inquiries, and identifying\n           \xe2\x80\x9cbest-in-class\xe2\x80\x9d processes for use throughout DCAA.\n\n                   Executive Steering Committee. The Executive Steering Committee\n           (ESC) is responsible for providing overall management and direction for the\n           DCAA total quality management program. In addition, the ESC is responsible\n           for establishing the DCAA vision and strategic goals; identifying quality\n           improvement projects; evaluating quality improvement projects suggested by\n           others; approving/disapproving DCAA process action teams; and maintaining\n           active communication and coordination with the quality management boards\n           regarding their process action team activities and recommendations. Committee\n           members include the Director, Deputy Director, assistant directors of the\n           headquarters components, directors of the five regions and Field Detachment,\n           and General Counsel. The ESC meets quarterly and is briefed on issues such as\n           the Director\xe2\x80\x99s performance contract, strategic plan, advanced degrees and\n           certifications, procurement plans, and the DCAA internal quality assurance\n           program. If necessary, the ESC establishes action items for tasks to be\n           completed or information to be provided. A listing of action items is maintained\n           for the Director, DCAA, by the Executive Officer.\n\n                  Headquarters Quality Assurance Division. The DCAA headquarters\n           Quality Assurance Division performs formal internal quality assurance reviews\n           based on the PCIE Guide and other quality assurance-related reviews throughout\n           DCAA. When conducting the reviews, the Quality Assurance Division assesses\n           compliance with applicable auditing standards and audit policies and procedures,\n           the need for enhanced or new audit policy guidance, and best practices for use\n           throughout the agency.\n\n                   Regional Quality Assurance Divisions. The Regional Quality\n           Assurance Divisions (RQA), including Field Detachment, assist the DCAA\n           headquarters Quality Assurance Division in performing the agency-wide quality\n           assurance reviews and other agency-wide quality assurance projects. At the\n           direction of their respective regional directors, the RQAs also perform regional\n\n4\n    Field Detachment is responsible for the overall planning, management, and execution of worldwide\n    DCAA contract audits of compartmented programs.\n\n                                                     2\n\x0c           quality assurance reviews and projects to assess compliance with applicable\n           policies and procedures, the need for enhanced or new audit guidance, and best\n           practices for regional use. In addition, the RQAs perform special reviews as\n           required by the regional directors. When performing regional quality assurance\n           and special reviews, the RQA chiefs report directly to the directors of their\n           respective regions. When performing agency-wide reviews under the direction\n           of the headquarters Quality Assurance Division, the RQA staffs assigned to the\n           review report indirectly to the chief of the headquarters Quality Assurance\n           Division.\n\n           DCAA Internal Quality Assurance Reviews. Beginning in FY 1999, DCAA\n           established a 3-year cycle for conducting internal quality assurance reviews.\n           DCAA determined that its workload fell into four major categories\xe2\x80\x94forward\n           pricing assignments, internal control reviews, incurred cost audits, and all other\n           assignments.5 DCAA decided to conduct separate internal quality assurance\n           reviews for each of the major audit categories. DCAA plans to have all reviews\n           completed by April 2002 and to brief the ESC in June 2002.\n\n\n\nObjectives\n           The objective for this evaluation was to review the DCAA quality assurance\n           program and to assess how DCAA performed the internal quality assurance\n           review of forward pricing assignments, which was the first agency-wide review\n           conducted by the new headquarters Quality Assurance Division. Subsequent\n           evaluations will assess how DCAA performs internal quality assurance reviews\n           of internal control reviews and incurred cost audits as well as all other\n           assignments. See Appendix A for a discussion of the evaluation scope,\n           methodology, management control program review, and prior coverage.\n\n\n\n\n5\n    Examples of other assignments include defective pricing audits, progress payment audits, operations\n    audits, and termination audits.\n                                                      3\n\x0c            A. Defense Contract Audit Agency\n               Quality Assurance Program\n            The DCAA quality assurance program incorporates many of the elements\n            needed for an effective review of an internal quality control system.\n            Since the program was announced in October 1998, DCAA has been\n            refining its quality assurance program to include the fundamental\n            elements of a mature program. DCAA can improve the capability of the\n            program to provide a thorough agency-wide evaluation of whether\n            DCAA audits are performed in compliance with auditing standards and\n            DCAA policies and procedures by implementing the recommended\n            actions, suggested improvements, and enhancements.\n\n\n\nQuality Assurance Policies\n     Government Auditing Standards. The GAS are standards for audits that are\n     performed on Government organizations, programs, activities, and functions.\n     The standards also apply to audits of Government assistance that contractors,\n     nonprofit organizations, and other non-Government organizations receive.\n     GAS 3.31 requires that, \xe2\x80\x9cEach audit organization conducting audits in\n     accordance with these standards should have an appropriate internal quality\n     control system in place.\xe2\x80\x9d In addition, GAS requires that an organization\xe2\x80\x99s\n     internal quality control system provides reasonable assurance that the\n     organization has adopted and follows applicable auditing standards and has\n     established and follows adequate audit policies and procedures. GAS states that\n     the nature and extent of an organization\xe2\x80\x99s internal quality control system is\n     dependent on factors such as size, the degree of operating autonomy among\n     offices and personnel, the nature of the work, organizational structure, and\n     appropriate cost/benefit considerations. Therefore, the internal quality control\n     systems established by organizations will vary, as will the extent of the\n     documentation.\n\n     PCIE Guide. The PCIE Guide reiterates the guidance in GAS and provides\n     additional guidance on the internal quality control system as well as guidance for\n     conducting internal quality assurance reviews. The PCIE Guide states that an\n     organization\xe2\x80\x99s internal quality control policies and procedures encompass, at a\n     minimum, the elements of staff qualifications, independence, audit performance,\n     and internal review. In addition, the PCIE Guide outlines the characteristics of\n     an internal quality assurance review. Also, the PCIE Guide includes a\n     \xe2\x80\x9cChecklist for Assessment of Internal Quality Assurance Program [PCIE\n     Appendix C],\xe2\x80\x9d which can be used as a tool to evaluate an organization\xe2\x80\x99s quality\n     assurance program.\n\n\n\n\n                                         4\n\x0cDCAA Internal Quality Control System\n            The DCAA internal quality control system encompasses the agency\xe2\x80\x99s\n            organizational structure. The PCIE Guide states that an organization\xe2\x80\x99s internal\n            quality control system should be comprehensive and designed to provide\n            reasonable assurance that the organization has adopted and follows applicable\n            auditing standards and has established and follows adequate audit policies and\n            procedures. The DCAA internal quality control system is implemented at all\n            levels of the organization and is multifunctional, covering elements of\n            vulnerability assessment, internal control review, external audit followup,6 audit\n            quality review, and management improvement efforts. Organizationally, DCAA\n            is divided into a headquarters, 5 regions, Field Detachment, and 81 field audit\n            offices (FAOs7). DCAA considers all the organizational layers to be part of its\n            internal quality control system.\n\n            DCAA-Wide Quality Control System. The DCAA-wide quality control\n            system is defined in the CAM and in DCAA regulations and instructions.\n            DCAA-wide quality controls include use of standard audit programs and\n            standard checklists for reviewing audit reports; fact-finding visits by DCAA\n            headquarters program managers who use tools such as centrally directed surveys\n            and internal checklists; headquarters desk reviews; onsite reviews of internal\n            systems by DCAA specialists such as industrial engineers; and reviews by peers\n            outside the organization being reviewed. In addition, the DCAA quality\n            assurance program is an integral part of the quality control system.\n\n            Regional and Field Detachment Quality Control Systems. Regional quality\n            control systems implemented by the regional directors and managed by the\n            RQAs, including the Field Detachment Quality Assurance Division, are an\n            integral part of the DCAA quality control system. Regional policies and\n            procedures set forth quality controls that include delegation of authority;\n            separation of duties; accountability of resources; recording, documenting, and\n            resolving audit findings; pre-issuance reviews of sensitive or significant audit\n            reports by regional audit managers; post-audit quality reviews by the regional\n            audit manager; and monthly post-issuance review of audit reports. The RQAs\n            also perform compliance reviews as requested by regional directors.\n\n            FAO Quality Control System. Within each region, DCAA has established\n            between 11 and 16 FAOs. The FAOs are responsible for implementing a sound\n            quality control system based on headquarters and regional guidance. Peer\n            review processes are an integral part of the FAO-level quality control system.\n            FAO quality controls include mandatory pre-issuance review of audits by\n            supervisory auditors and pre-issuance reviews of sensitive or significant audits\n\n6\n    This function includes following up on findings and recommendations in General Accounting Office and\n    Inspector General, DoD, reports.\n7\n    An FAO can be either a resident office or a branch office. A resident office is established at a\n    contractor\xe2\x80\x99s facility whenever the amount of audit work justifies assignment of a permanent staff of\n    auditors and support elements. A branch office is not located in a contractor\xe2\x80\x99s facility and performs\n    reviews of several contractors.\n                                                       5\n\x0c    by FAO managers. The results of peer reviews are used to identify process\n    improvements within FAOs and are forwarded to the region and headquarters\n    for use in identifying trends throughout DCAA. FAOs may institute other\n    quality control procedures, such as participatory work teams and pre-issuance\n    review of all audit reports.\n\n\n\nDCAA Headquarters Quality Assurance Program Review\n  Process\n    The PCIE Guide describes the characteristics that an organization\xe2\x80\x99s quality\n    assurance program should integrate into any review of its quality control\n    system. Those characteristics include formal quality assurance review\n    procedures, adequate staffing, independence, thorough scope of review,\n    sufficient evidence, written results, written responses, and an effective followup\n    process.\n\n    The DCAA quality assurance program contains elements of each of those\n    characteristics. However, DCAA is still in the process of refining its quality\n    assurance program based on experience gained from the completed internal\n    quality assurance reviews. As a result, DCAA has not yet fully implemented all\n    of the needed elements of a mature program. The DCAA methodology for\n    preparing written results and written responses meets the intent of the PCIE\n    Guide. However, the characteristics of formal quality assurance review\n    procedures, staffing, independent review, evidence, followup procedures, and\n    scope of review in the DCAA internal quality assurance program need\n    improvement to ensure that the program will operate effectively. DCAA has\n    either taken corrective action or plans to take corrective action that will improve\n    many of the characteristics.\n\n    Formal Quality Assurance Review Procedures. Organizations conducting\n    internal quality assurance reviews should have formal policies and procedures.\n    DCAA has completed two headquarters-led reviews and is in the process of\n    conducting a third. DCAA has not prepared formal policies and procedures for\n    conducting the reviews. DCAA has informal procedures in the form of\n    Microsoft PowerPoint slides dated March 31, 1999. The slides explain the\n    structure and makeup of the quality assurance divisions, general information on\n    how the internal quality assurance reviews will be performed, examples of\n    quality assurance work, and basic information on how the internal quality\n    assurance review of forward pricing assignments would be conducted. DCAA\n    recognizes the need for formal policies and procedures and plans to issue an\n    instruction by December 31, 2001. However, DCAA began the review of all\n    other assignments during October 2001, the last review for the first 3-year\n    cycle. DCAA needed to develop formal policies and procedures before\n    beginning that review for the external reviewer to evaluate the adequacy of the\n    policies and procedures as part of its overall evaluation of the DCAA quality\n    assurance program.\n\n\n                                         6\n\x0cStaffing. The PCIE Guide recommends that review teams be led by a senior\nmanager and that the reviewers have an appropriate level of experience. The\nDCAA quality assurance staff consists of about 35 auditors. The headquarters\nQuality Assurance Division consists of one GS-15 division chief and four GS-14\nprogram managers. In addition, each RQA staff consists of one GS-14\nsupervisor and four GS-13 auditors. Each RQA staff reports to a regional\ndirector. DCAA requires that the quality assurance staffs comply with\ncontinuing professional education requirements outlined in GAS.\n\nWhen DCAA established its quality assurance divisions in October 1998, it\nreassigned personnel from other divisions within the organization. As of\nDecember 17, 1998, DCAA had reassigned a total of 7 employees to the quality\nassurance divisions and by March 31, 1999, DCAA had reassigned a total of\n20 employees to the quality assurance divisions. The initial staffing was\nadequate for performing the internal quality assurance review of forward pricing\nassignments. The headquarters Quality Assurance Division, RQAs, and Field\nDetachment Quality Assurance Division were staffed with 31 employees as of\nDecember 16, 1999. The original staff level of 35 appeared adequate to\nperform the original assigned duties.\n\nDCAA established the headquarters Quality Assurance Division primarily to\ndevelop and execute an agency-wide quality assurance program. DCAA has\nsubsequently added responsibilities, such as providing assistance in preparing\nthe DCAA FY 2000 financial statements. The headquarters Quality Assurance\nDivision expended 1,500 staff-hours on the unplanned task. DCAA needs to\nclosely monitor the status of the quality assurance workload to ensure that the\nquality assurance program is accomplished within the 3-year cycle.\n\nIndependent Review. The PCIE Guide recommends that the review team\nleader report to an individual or a level within the organization that will ensure\nindependence and objectivity in the performance of internal quality assurance\nreviews. The headquarters Quality Assurance Division reports to the Assistant\nDirector, Policy and Plans. In addition, when DCAA established the process\nfor assigning the auditors to the internal quality assurance reviews, DCAA\ndetermined that personnel from the RQAs would not be allowed to review any\nFAOs within their own regions. DCAA made that decision to ensure that the\nauditors maintained independence because auditors assigned to RQAs report to\nthe respective regional directors. However, the same reasoning was not applied\nto the assessment of Field Detachment. DCAA decided that the Field\nDetachment Quality Assurance Division would conduct the internal quality\nassurance review of Field Detachment audits. DCAA decided not to\nindependently assess Field Detachment because of workload, security\nconsiderations, and because DCAA considers the Field Detachment Quality\nAssurance Division independent because it is separate from Field Detachment\naudit operations.\n\n\n\n\n                                     7\n\x0c       Field Detachment Workload. DCAA decided not to independently\nassess Field Detachment because of \xe2\x80\x9cthe low relative significance\xe2\x80\x9d of the Field\nDetachment workload. However, as shown by the following table, Field\nDetachment roughly equals one-half of a DCAA region with almost an equal\nnumber of FAOs.\n\n\n          Table 1. Relationship of Field Detachment to Overall DCAA\n\n                               # FAOs1           Staffing2         Hours3\n\n     Eastern                       14              677          1,403,752\n     Northeastern                  15              598          1,247,754\n     Western                       16              740          1,572,799\n     Central                       12              671          1,376,908\n     Mid-Atlantic                  13              781          1,531,615\n     Field Detachment              11              335            640,587\n     Headquarters/\n      Miscellaneous                 0              370             427,024\n\n          Total                    81            4,172          8,200,439\n      1\n        DCAA Publication 5100.1, \xe2\x80\x9cDirectory of DCAA Offices,\xe2\x80\x9d January 2000, except\n       for Field Detachment.\n      2\n        DCAA MRD 99-OWD-087, \xe2\x80\x9cFiscal Year 2000 Planning and Staff Allocation\n       Document,\xe2\x80\x9d July 23, 1999.\n      3\n        DCAA report, \xe2\x80\x9cComparative Statistics \xe2\x80\x93 Major Workload Categories\n       September 1997, 1998, 1999.\xe2\x80\x9d\n\n\nField Detachment was allocated about 8 percent of the total DCAA staff and\nexpended about 8 percent of the total hours. On average, each of the five\nregions was allocated about 17 percent of the total staff. In addition, we believe\nthat assignments conducted by Field Detachment have the potential to be high\nrisk because the assignments get less visibility outside of Field Detachment\nbecause they are audits of classified programs. Also, DCAA did not consider\nhow the geographic dispersion of FAOs affects implementation of quality\ncontrols such as oversight. For example, the FAO that we visited had\n46 auditors in 9 separate locations in 4 states. In addition, while the five\nregions are organized geographically, FAOs within Field Detachment are\ndispersed nationwide, providing less opportunity for oversight.\n\n        Field Detachment Security Considerations. DCAA determined that it\nwas in the best interest of DoD for the Field Detachment Quality Assurance\nstaff, with existing clearances, to perform the PCIE-based reviews at Field\nDetachment FAOs rather than maintaining a cleared contingent within the\nheadquarters Quality Assurance Division. DCAA made that decision based on\nthe low relative significance and high security aspects of Field Detachment audit\nwork. In addition, DCAA anticipated that the external reviewer would evaluate\nand perform some retesting of the Field Detachment quality assurance work and\nprovide feedback on the results of that effort. DCAA should not assume that\n\n                                        8\n\x0cexternal reviewers will always retest Field Detachment Quality Assurance\nDivision work. DCAA has responsibility for ensuring that its internal quality\nassurance program is performed independently and objectively. Only one or\ntwo DCAA auditors with clearances would be needed because of the limited\ntime spent on the quality assurance reviews at each FAO. For example, only\nthree Field Detachment FAOs were assessed and DCAA internal review teams\nconsisting of two or three staff conducted each site visit over a 5-day period. In\naddition, only four of the seven assignments that we reviewed as part of this\nreview contained classified information; therefore, a noncleared auditor could\nreview the unclassified Field Detachment assignments in certain situations.\n\n        Field Detachment Quality Assurance Division Structure. The Quality\nAssurance Divisions for all five regions and Field Detachment are structured the\nsame. The Field Detachment Quality Assurance Division chief, like the RQA\nchiefs, reports directly to the respective director. The Field Detachment Quality\nAssurance staff, like the RQA staffs in the five regions, are physically located at\nvarious FAOs. The Director, Field Detachment, like the other regional\ndirectors, is responsible for the overall management of the Field Detachment\naudit operations that the Field Detachment quality assurance staff is reviewing.\nTherefore, the Field Detachment quality assurance staff is only minimally\nindependent from the field audit operations.\n\nFor the headquarters-led quality assurance review, Field Detachment was\ntreated differently than the five regions. Specifically, the Field Detachment\nQuality Assurance staff reviewed FAOs within their own region while the RQA\nstaffs were not allowed to review any FAO within the region to which they were\nassigned. In addition, the Director, Field Detachment, signed the\nmemorandums that transmitted the review results to the three FAO managers in\nField Detachment while the Assistant Director, Policy and Plans, signed the\nmemorandums that transmitted the review results to the five regional directors.\nAlso, the lead reviewer from the Field Detachment Quality Assurance Division\nsigned the memorandums for record that detailed the review results for the\n3 FAOs in Field Detachment while either the Chief or the lead reviewer of the\nDCAA headquarters Quality Assurance Division signed the memorandums for\nrecord that detailed the review results for the 15 FAOs in the 5 regions. While\nthe headquarters Quality Assurance Division performed some oversight of the\nField Detachment work by reviewing trip reports, the headquarters Quality\nAssurance Division did not have sufficient information to determine whether the\nassessment conducted by the Field Detachment Quality Assurance Division was\nconsistent with the reviews of the five regions. Therefore, the quality assurance\nreviews performed on Field Detachment audits were not independently\nconducted and had limited additional headquarters oversight to help ensure an\nindependent assessment.\n\nBecause of the isolation of Field Detachment created by security requirements\nand how DCAA has decided to perform headquarters-led internal quality\nassurance reviews, DCAA has less assurance that the quality control system\nwithin Field Detachment is operating effectively. In addition, best practices or\nlessons learned may not be as readily shared between Field Detachment and the\nrest of DCAA.\n                                     9\n\x0cEvidence. The PCIE Guide recommends that competent evidential matter be\ngathered and, where applicable, sufficient testing accomplished to determine\nwhether the organization is in compliance with applicable auditing standards,\npolicies, and procedures. DCAA developed an understandable, methodical\nprocess for selecting which FAOs and audit assignments to review. The\nselection criteria varied depending on the audit type being reviewed. See\nFinding B for a description of the process used on the internal quality assurance\nreview of forward pricing assignments.\n\nDCAA gathered what it considered sufficient evidence to evaluate whether its\nauditors were complying with applicable auditing policies and procedures.\nHowever, in conducting our review of forward pricing assignments, we had to\ndo significant retesting because additional documentation was needed for us to\nform an opinion on the quality assurance work performed. See Finding C for a\ndiscussion of this issue.\n\nWritten Results. The PCIE Guide recommends the preparation of written\nresults for each review that include recommendations for corrective actions\nwhen applicable. DCAA prepared trip reports that summarized the results of\nthe review at each FAO and provided the trip reports to the FAO manager and\nthe regional directors. The trip reports also function as the summary working\npaper. DCAA prepared and presented a briefing to the ESC in December 1999\nthat summarized the results of the review and the proposed corrective actions.\nThat approach meets the intent of the characteristic outlined in the PCIE Guide.\nDCAA could enhance its program by issuing a summary report for each quality\nassurance review performed.\n\nWritten Responses. The PCIE Guide recommends that written responses be\nprovided on each recommendation which should include proposed corrective\nactions or corrective actions already taken. Each FAO that DCAA reviewed\nprovided written responses to draft trip reports, which DCAA considered and\nincluded in final trip reports. Agreement on what deficiencies need to be\naddressed is the first step toward improving audit performance. That approach\nincorporates the characteristic outlined in the PCIE Guide.\n\nFollowup Procedures. The PCIE Guide recommends that procedures be\nestablished for resolution and followup of recommended corrective action. A\ngood followup system should provide information on the improvements made as\na result of the work and whether the improvements achieved the desired result.\nDetermining actions that were taken on recommendations requires continual\nmonitoring of the status of recommendations. DCAA has two separate followup\nprocesses for monitoring the status of actions taken as a result of issues found\nduring the headquarters-led internal quality assurance reviews. The specific\nfollowup process used depends on which division is assigned the responsibility\nfor the corrective action established by the ESC. Any corrective action adopted\nby the ESC is assigned an action item number and is included in a database\nmaintained by the Executive Officer for the Director, DCAA. If the ESC\nassigns the responsibility for a corrective action to a headquarters component,\nthat component is responsible for followup. If the regions are assigned the\nresponsibility, then the regional directors are responsible.\n\n                                    10\n\x0c        Headquarters Followup Process. As part of the management and\nexecution of the quality assurance program, the headquarters Quality Assurance\nDivision briefs the ESC on the various significant issues identified during the\ninternal quality assurance reviews. As part of this process, headquarters Quality\nAssurance Division recommends potential corrective actions. If the ESC adopts\na corrective action and assigns the action to a headquarters element, that\ncomponent is responsible for followup. The ESC and the headquarters Quality\nAssurance Division are responsible for monitoring the followup. Most\ncorrective actions that fit into that category are for agency-wide issues that\nrequire revisions to either DCAA policy or audit guidance.\n\n        RQA Followup Process. In general, each region, including Field\nDetachment, is responsible and accountable for implementing the corrective\nactions taken as a result of its regional quality assurance program and for\nmaintaining appropriate documentation on the implementation. For each\nheadquarters-led quality assurance review, the regional directors are required to\nprepare corrective action plans that discuss issues noted in the trip reports for\nthe FAOs and to submit the plans to the Director, DCAA. In addition, the ESC\ncan adopt a corrective action and assign the action to the regions for either\nimplementation or followup. The action items are tracked through the ESC\ndatabase. For action items assigned to the regions, DCAA relies on the regional\ndirectors to independently ensure that corrective action is taken. The regional\ndirectors can task the RQAs to verify that a corrective action has been properly\nimplemented. However, the headquarters Quality Assurance Division performs\nno additional followup action until the next internal quality assurance review of\nthe same type audit. DCAA stated:\n           Until the ESC Meeting in March 2001, no formal process existed at\n           the Headquarters or ESC level for individually tracking the\n           completion of each region\xe2\x80\x99s planned action. At that meeting, a new\n           DCAA Strategic Plan objective was established entitled Compliance\n           with GAGAS. Steps 3 & 7 of the milestone plan for this objective\n           require the regions (and Field Detachment) to respectively:\n\n               \xe2\x80\xa2 Implement (by May 2001) previously established regional\n                 action plans resulting from improvement areas identified by\n                 FY 1999 PCIE-based reviews.\n\n               \xe2\x80\xa2 Brief (by December 2001) the ESC on status of progress on\n                 previously established regional action plans resulting from\n                 improvement areas identified by FY 1999 PCIE-based reviews.\n\nDCAA should institutionalize the process described for future quality assurance\nreviews. Failure to properly implement corrective actions can cause a reviewer\nto discover repeat findings or issues during the next round of internal quality\nassurance reviews. Identification of repeat findings can lead to a qualified\nopinion on the internal quality control system depending on the significance of\nthe issue. Therefore, regional directors should be required to notify the\nheadquarters Quality Assurance Division when its corrective action plan has\nbeen implemented. Once DCAA establishes formal followup procedures, those\nprocedures should be included in the written policies and procedures for\nconducting internal quality assurance reviews.\n                                      11\n\x0cScope of Headquarters-Led Quality Assurance Reviews\n    DCAA structured its internal quality assurance review program using the PCIE\n    Guide as the primary framework for evaluating whether its auditors were\n    complying with GAS and CAM. The PCIE Guide recommends that the scope\n    of internal quality assurance reviews include a determination about the degree of\n    compliance with GAS, applicable PCIE audit policy statements, and applicable\n    statutory provisions. In addition, the PCIE Guide states that a thorough review\n    would include methods for testing compliance with audit policies and procedures\n    established at all levels of an organization. Also, the PCIE Guide recommends\n    that an internal quality assurance program cover each of the audit offices issuing\n    audit reports and an appropriate cross-section of the types of audits performed.\n\n    Compliance with Auditing Standards and Audit Guidance. DCAA used the\n    PCIE Guide as a basis for its reviews. Specifically, DCAA drafted its own\n    checklist (DCAA Checklist) by adapting questions from PCIE Appendix E,\n    \xe2\x80\x9cFinancial Statement Presentation and Disclosure Checklist,\xe2\x80\x9d (PCIE\n    Checklist E), and PCIE Appendix F, \xe2\x80\x9cChecklist for Review of Individual\n    Performance Audits\xe2\x80\x9d (PCIE Checklist F). In addition, DCAA used its own\n    \xe2\x80\x9cAudit Report Quality Review Sheet for Audit Reports of All Types\xe2\x80\x9d (Audit\n    Report Checklist) to review the selected audit reports. The DCAA Checklist\n    questions contain references to GAS and CAM for most questions. However,\n    because of the wording of certain questions or the criteria cited, DCAA did not\n    properly evaluate compliance with certain auditing standards, specifically:\n\n            Due Professional Care. DCAA generally agreed that the questions for\n    assessing due professional care did not adequately address compliance with the\n    standard and agreed to modify the question.\n\n            Internal Controls. DCAA agreed that the questions could be reworded\n    to resolve some of our concerns and increase the value and consistency of the\n    answers. At a minimum, for future PCIE-based quality assurance reviews,\n    DCAA will ensure that the reviewers sufficiently explain and/or document why\n    the reviewers believe an auditor has demonstrated an adequate understanding of\n    the internal controls despite not appropriately documenting that understanding.\n    DCAA will also further examine our proposed changes that relate to checklist\n    questions 6.1 and 6.2 to ensure that the significant data that need to be captured\n    by these questions are captured.\n\n            Irregularities, Illegal Acts, and Other Noncompliances. Current\n    DCAA audit guidance for forward pricing assignments does not require the\n    auditor to fully assess audit risk resulting from fraud or other illegal acts\n    because the DCAA standard audit programs for forward pricing assignments do\n    not include all of the necessary audit steps. Therefore, the criteria that the\n    DCAA reviewers used to answer the DCAA Checklist questions were\n    incomplete. DCAA has stated that the risk of fraud is generally inherently less\n    in pre-award audits because fraud requires that the Government be harmed and\n    the Government cannot be harmed until contract award. DCAA agreed to\n\n\n                                        12\n\x0creconsider its position and review each of its forward pricing audit programs to\ndetermine where it might best add appropriate steps to more directly cover those\nconcerns.\n\nSee Finding C for detailed discussion of the DCAA Checklist issues. In\naddition, DCAA did not fully consider regional and FAO quality control\npolicies and procedures in its internal quality assurance review of forward\npricing assignments. DCAA planned to start a review of compliance with the\ngeneral standards of staff qualifications and independence for its overall quality\nassurance program in October 2001 and to complete the review by March 2002.\n\n        Qualifications and Independence. The GAS general standards of\nqualifications and independence serve as the foundation for other auditing\nstandards. The importance of complying with the fieldwork and reporting\nstandards rests on the presumption that the audit organization is in compliance\nwith the general standards. The internal quality assurance review process that\nDCAA initially developed included plans to review compliance with the general\nstandards of qualifications and independence throughout the agency. Those\nplans did not include testing at the FAO level.\n\n                Qualifications. Subsequent to the start of the 3-year cycle,\nDCAA decided to postpone its review of qualifications\xe2\x80\x94specifically continuing\nprofessional education\xe2\x80\x94until FY 2002 because DCAA was in the process of\nrevising guidance on continuing professional education requirements. DCAA\nplans to complete the review by March 2002. However, a complete review of\nqualifications covers more than continuing professional education requirements.\nThe review should include hiring and promotion policies and procedures and the\nuse of external consultant and internal experts. The DCAA headquarters\nQuality Assurance Division plans to gather relevant documentation on\nqualifications before the end of the 3-year cycle.\n               Independence. The DCAA headquarters Quality Assurance\nDivision plans to gather relevant documentation on independence before the end\nof the 3-year cycle and to complete the review of independence by March 2002.\nThe DCAA Quality Assurance Division can either test whether the applicable\ncontrols are in place and operating as expected for independence or refer to the\nreview work performed by another DCAA component that they relied on.\n\nDCAA needs to conduct a complete review of the general standards of\nqualifications and independence during the 3-year cycle as planned to have\nreasonable assurance that its audits are being performed in compliance with\nGAS and CAM. GAS 1.14 places the responsibility on the audit organization\nfor ensuring that qualified personnel conducted the audits and that independence\nis maintained.\n\nAssessment of DCAA Multi-Level Quality Control Procedures. The DCAA\nquality assurance review of forward pricing assignments did not fully consider\nregional and FAO quality control policies and procedures. The DCAA quality\ncontrol system includes quality control procedures implemented at headquarters,\nthe regions, and the FAOs. CAM 2-S10 states:\n                                    13\n\x0c           Direct responsibility for quality in all audit and resource management\n           functions is vested in the line and staff managers and supervisors at all\n           levels of DCAA. . . . Quality control review planning considers the\n           universe of all audit and resource management functions at all\n           organizational levels.\n\nTo fully assess the adequacy of the DCAA quality control system as described\nin CAM, DCAA should have tested compliance with policies and procedures\nissued by the regions and the FAOs in addition to DCAA-wide policies and\nprocedures. However, when completing the DCAA Checklist, the reviewers\ndid not indicate that they considered anything other than DCAA-wide quality\ncontrol policies and procedures. The DCAA staff stated that the internal review\nof the quality control system was being conducted in accordance with the PCIE\nGuide and believed that the PCIE Guide does not require an evaluation of\nregional and FAO-specific quality control policies and procedures. In addition,\nthe DCAA staff expressed concern that including regional and FAO-specific\nquality control procedures would result in the FAOs not being evaluated using\nthe exact same criteria for each FAO. For the DCAA quality control system to\nbe considered properly implemented and operating effectively as required by\nGAS, regional and FAO-specific quality control policies and procedures must be\nincluded in any internal quality assurance review.\n\nDCAA has taken corrective action to ensure that its quality control system will\nbe fully evaluated. DCAA has added the question, \xe2\x80\x9cWere the quality control\nprocedures, forms, and checklists required by Regional/FAO policy\nappropriately completed/complied with?\xe2\x80\x9d to the January 2001 version of the\nDCAA Checklist that was being used for the review of incurred cost audits.\nBecause DCAA has taken corrective action, we have no recommendation.\n\nReview of FAOs. The PCIE Guide recommends that an internal quality\nassurance program include all of the audit offices that issue audit reports. All of\nthe FAOs issue audit reports; however, DCAA never planned to ensure the\nreview of every FAO in a given 3-year cycle. Although DCAA did not plan to\nprohibit two reviews of any FAO during the same 3-year cycle, DCAA has tried\nnot to review an FAO twice. In addition, DCAA never planned to include the\ntwo overseas FAOs in the headquarters-led quality assurance reviews. DCAA\nshould revise its planning process to ensure that each FAO is included in at least\none headquarters-led quality assurance review during each 3-year cycle. For the\nfirst 2 quality assurance reviews, DCAA evaluated 36 FAOs. For the third\nreview, DCAA plans to evaluate 28 FAOs, one of which had already been\nincluded. DCAA currently has 81 FAOs. To ensure coverage of the FAOs, the\nfourth quality assurance review should either include the 18 FAOs not\npreviously reviewed or specifically state why the risk at an excluded FAO did\nnot warrant inclusion in a quality assurance review.\n\n        Overseas FAOs. DCAA has two FAOs that are physically located\noverseas. The European Branch Office is in Germany, with suboffices in Saudi\nArabia and Israel, and reports to the Regional Director, Northeastern Region.\nThe Pacific Branch Office is in Japan, with suboffices in Hawaii and Korea, and\nreports to the Regional Director, Western Region. For the review of the two\noverseas FAOs, the regional audit managers conducted self-assessments\n\n                                         14\n\x0c            whenever they visited those locations. However, the self-assessment does not\n            satisfy the need for an independent review. The workload at the two offices is\n            significant. In FY 2000, DCAA expended an average of 47,374 audit hours and\n            issued an average of 515 reports per FAO. By comparison, in FY 2000, the\n            European Branch Office expended 27,328 audit hours and issued 395 reports,\n            and the Pacific Branch Office expended 14,071 audit hours and issued\n            456 reports. In addition, each FAO has an average staff8 of 47 staff members,\n            while the European FAO had 43 staff members and the Pacific FAO had\n            21 staff members. Therefore, while the two overseas FAOs are not as large as\n            an average FAO, they are still responsible for a considerable number of\n            assignments. In addition, the types of reviews performed may be more sensitive\n            at those locations because DCAA is normally reviewing foreign entities. The\n            Western Region RQA staff has included the Pacific Branch Office in its regional\n            quality assurance reviews since FY 1999, the year that the Western Region\n            RQA was established. In FY 2000, an RQA reviewer visited the Pacific Branch\n            Office for reviews of management information data integrity and\n            computer-assisted audit techniques. In addition, the Western Region RQA had\n            the Pacific Branch Office mail the data to be included in reviews of defective\n            pricing audits in FY 1999 and of nonmajor incurred cost audits in FY 2000.\n            The Regional Director, Northeastern Region, is considering including the\n            European Branch Office in its regional quality assurance reviews.\n\n            We consider workload of this magnitude to require some independent review. If\n            field visits are not practical, other means can be used, such as mailing the\n            selected audit files to DCAA headquarters for review in a process similar to that\n            now being used by the Western Region RQA. With most DCAA audit work\n            now documented with electronic working papers, this option is more easily\n            implemented than before. In response to a discussion draft of this report,\n            DCAA reconsidered its position as to whether the overseas FAOs should be\n            included in the internal quality assurance reviews. On March 30, 2001, DCAA\n            notified us that they would begin to include both overseas FAOs in the universe\n            of offices potentially selected for future reviews.\n\n            Cross-Section of Audits Reviewed. In designing its headquarters-led quality\n            assurance program, DCAA concentrated on ensuring that it covered a broad\n            cross-section of audit work. DCAA was concerned that the audit coverage not\n            be so broad as to preclude gathering sufficient data to draw meaningful\n            conclusions. Beginning in FY 1999, DCAA established a 3-year cycle for\n            conducting internal quality assurance reviews that would cover the various types\n            of contract audits that DCAA routinely performs. DCAA initially determined\n            that its workload fell into three major categories\xe2\x80\x94forward pricing assignments,\n            incurred cost audits, and all other assignments. DCAA planned to conduct\n            separate internal quality assurance reviews for each of these audits.\n            Subsequently, DCAA decided to separately review its audits of contractor\n            internal controls instead of including them when reviewing the incurred cost\n            audits. Therefore, in total, the DCAA headquarters Quality Assurance Division\n\n\n\n8\n    Staff includes supervisors, administrative, and regional office staff.\n                                                        15\n\x0c    planned to conduct four quality assurance reviews during the 3-year cycle. That\n    method of performing internal quality assurance reviews should provide\n    adequate coverage of the routine audits performed by DCAA.\n\n\n\nSummary\n    The goal of a quality assurance program is to assess whether an organization\n    carries out its work in accordance with GAS and established policies and\n    procedures. In addition, a quality assurance program may include an objective\n    to assess whether the work was carried out economically, efficiently, and\n    effectively. The purpose of reviewing a quality assurance program is to\n    determine whether the program is adequately designed to meet the objectives of\n    quality assurance and whether it produces reports on which the external\n    reviewer can rely. While the use of the results of internal reviews as direct\n    evidence can reduce the nature or extent of testing performed by the external\n    review team, the external reviewer\xe2\x80\x99s opinion on the quality control system\n    should not be based solely on evidence provided by the internal reviews. Once\n    the quality assurance program is refined and issues discussed above are\n    addressed, DCAA should have reasonable assurance that its internal quality\n    control system is comprehensive and suitably designed to ensure that DCAA is\n    complying with all applicable standards, policies, and procedures.\n\n\n\nManagement Comments on the Finding and Evaluation\n Response\n    Summaries of management comments on the finding and our evaluation\n    response are in Appendix B.\n\n\n\nRecommendations, Management Comments, and Evaluation\n  Response\n    A. We recommend that the Director, Defense Contract Audit Agency, as\n    part of the quality assurance program:\n\n           1. Develop written policies and procedures for conducting internal\n    quality assurance reviews before starting the next review.\n\n    Management Comments. DCAA concurred in principle. DCAA\n    acknowledged that the general policies and procedures on Microsoft PowerPoint\n    slides should be formalized. However, DCAA stated that assigning additional\n    resources to have the formalization completed by July 2001 would adversely\n\n                                      16\n\x0c           impact the current PCIE-based review plans and schedule. Therefore, DCAA\n           planned to formalize the policies and procedures by December 31, 2001,9 prior\n           to the start of the next cycle of internal quality assurance reviews. DCAA\n           believes that the schedule will allow the Inspector General, DoD, to review\n           DCAA policies and procedures well before the completion of its review of\n           DCAA\xe2\x80\x99s first cycle of PCIE-based quality reviews.\n\n           Evaluation Response. The DCAA comments meet the intent of the\n           recommendation.\n\n                  2. Monitor the work assigned to the headquarters Quality Assurance\n           Division to ensure that the internal quality assurance program reviews are\n           accomplished during each 3-year cycle.\n\n           Management Comments. DCAA concurred with the recommendation.\n\n                  3. Institutionalize procedures established at the March 2001\n           Executive Steering Committee meeting for tracking corrective actions for\n           internal quality assurance reviews to include timely implementation.\n\n           Management Comments. DCAA concurred with the recommendation.\n\n                   4. Conduct independent internal quality assurance reviews of all\n           field audit offices, including the two overseas field audit offices and Field\n           Detachment, within the 3-year cycle.\n\n           Management Comments on Review of All FAOs. DCAA concurred in part.\n           Regarding the review of all FAOs during each 3-year cycle, including the two\n           overseas FAOs, DCAA stated that they do not believe that it is good policy to\n           firmly commit at the beginning of each PCIE-based 3-year review cycle to cover\n           all of the FAOs. Nevertheless, under the DCAA current methodology for\n           conducting the PCIE-based reviews and given the DCAA revised position\n           relating to its two overseas offices, it is very likely that every FAO will be\n           covered during the first and subsequent review cycles.\n\n           Evaluation Response on Review of All FAOs. The DCAA comments related\n           to reviewing all FAOs meet the intent of the recommendation. While the PCIE\n           Guide does not specifically require that all of the offices issuing reports be\n           reviewed, the PCIE Guide states that the selection of offices to be reviewed\n           should take into consideration the number, size, and geographic distribution of\n           the offices; number, type, and importance of reports issued by location; and the\n           degree of centralized control over regional and branch offices. In addition,\n           General Accounting Office Guide GAO/OP-4.1.6, \xe2\x80\x9cAn Audit Quality Control\n           System: Essential Elements,\xe2\x80\x9d August 1993, recommends that, \xe2\x80\x9cOver time, all\n           organizational units should be reviewed and their products tested.\xe2\x80\x9d Therefore,\n           it would be prudent if DCAA reviewed every FAO during each of its 3-year\n           cycles.\n\n9\n    The DCAA comments state that DCAA planned to formalize its policies and procedures by\n    September 30, 2001. However, via email of October 30, 2001, DCAA revised its milestone date.\n                                                   17\n\x0cManagement Comments on the Required Clearances of DCAA Reviewers\nfor Field Detachment. DCAA agreed that only two additional DCAA staff\nauditors need to obtain the appropriate security clearances to review Field\nDetachment. However, DCAA believes that to appropriately plan, supervise,\nanalyze, and report the results would require that several additional personnel\nobtain the appropriate security clearances.\n\nEvaluation Response on the Required Clearances of DCAA Reviewers for\nField Detachment. We agree that management involved in planning,\nsupervising, analyzing, and reporting the results need the appropriate security\nclearances. However, DCAA still needs to conduct an independent review of\nField Detachment. We request that DCAA reconsider its position and provide\ncomments to the final report.\n\n\n\n\n                                    18\n\x0c                 B. Internal Quality Assurance Review of\n                    Forward Pricing Assignments\n                 DCAA selected forward pricing assignments10 as the first category of\n                 audits to be reviewed. DCAA developed and implemented a reasonable\n                 methodology for selecting FAOs and audit assignments to be reviewed.\n                 The DCAA internal quality assurance review of forward pricing\n                 assignments identified some areas needing improvement for which\n                 DCAA had a process in place to ensure corrective action, had\n                 implemented corrective action, or had initiated corrective action.\n                 Specifically, DCAA identified issues related to:\n\n                   \xe2\x80\xa2    quality of audit reports and supervision for which DCAA\n                        determined that no additional corrective actions were needed;\n\n                   \xe2\x80\xa2    preparing risk assessments and setting up audit assignments for\n                        which DCAA implemented corrective actions;\n\n                   \xe2\x80\xa2    delegating authority to sign audit reports for which DCAA\n                        implemented corrective action, but a potential area for\n                        improvement still exists;\n\n                   \xe2\x80\xa2    properly documenting reliance on data from computer-based\n                        systems for which DCAA established an action item for\n                        implementation of corrective action; and\n\n                   \xe2\x80\xa2    audit execution issues for which the regions and Field Detachment\n                        were required to prepare corrective action plans.\n\n                 DCAA identified issues that were important for ensuring that quality\n                 audits were performed and quality audit reports were issued and DCAA\n                 took corrective action to resolve many of the issues. To resolve the\n                 remaining issues, DCAA should implement revised guidance on\n                 delegating the authority to sign audit reports and documenting reliance\n                 on data from computer-based systems. Timely implementation of\n                 corrective actions will ensure that the DCAA internal quality assurance\n                 program is effective.\n\n\n\nReview of Forward Pricing Assignments\n        DCAA initiated its internal quality assurance program in February 1999 and\n        selected forward pricing assignments as the first category to be reviewed\n        because those assignments made up a significant portion of its workload. For\n\n10\n Examples of forward pricing assignments include price proposals, integrated product teams, specified\n cost elements, agreed-upon procedures, and forward pricing rate agreements.\n                                                  19\n\x0cexample, in FY 1999 DCAA completed forward pricing reviews covering\n$64.9 billion. DCAA developed a two-tiered selection methodology for\ndetermining which FAOs and assignments to review. First, DCAA selected the\nFAOs to visit based on the dollar volume of price proposals reviewed. Once the\nFAOs were selected, DCAA selected the assignments to be reviewed.\n\nSelection of FAOs. DCAA selected and visited 18 FAOs, 3 per region. The\n18 FAOs represented 22.2 percent of the universe of 81 FAOs in existence as of\nJanuary 2000. DCAA developed a standard methodology to be used to\njudgmentally select the three FAOs to be reviewed in each region. Specifically,\nDCAA selected the FAO with the highest number of forward pricing reports\nissued, the FAO with the most dollars examined, and the FAO with the most\naudit hours expended. DCAA ensured that each region included at least one\nbranch office and one resident office.\nSelection of Forward Pricing Assignments. DCAA selected and reviewed\n126 forward pricing assignments, 7 assignments per FAO. The 126 assignments\nrepresented 3.2 percent of the universe of 3,931 assignments completed by all of\nthe FAOs, 3,413 assignments completed by the 5 regions as of February 28,\n1999, and 518 assignments completed by Field Detachment as of May 31, 1999.\nDCAA developed a standard methodology to be used to judgmentally select the\n7 assignments to be reviewed at each of the 18 FAOs. The seven assignments\nwere an;\n\n    \xe2\x80\xa2   audit of a price proposal of less than $5 million with the most dollars\n        examined,\n\n    \xe2\x80\xa2   audit of a cost-type-price proposal with the most dollars examined,\n\n    \xe2\x80\xa2   audit of a fixed-price proposal with the most dollars examined,\n\n    \xe2\x80\xa2   audit of a proposal that resulted from an integrated product team with\n        the most dollars examined,\n\n    \xe2\x80\xa2   audit of a forward pricing rate proposal on which the FAO expended the\n        most hours,\n\n    \xe2\x80\xa2   audit of specified cost elements with the most dollars examined, and\n\n    \xe2\x80\xa2   agreed-upon procedures review of a proposal on which the FAO\n        expended the most hours.\n\nIn addition, DCAA developed a methodology for substituting assignments for\nFAOs that had not completed assignments in the sampling methodology.\n\nBased on the results of its internal quality assurance review of forward pricing\nassignments, DCAA identified areas for improvement and presented that\ninformation, along with proposed corrective actions, to the ESC in\nDecember 1999.\n\n\n                                    20\n\x0cCorrective Action Processes in Place\n     Quality of Audit Reports. DCAA identified issues relating to the quality of\n     audit reports, but determined that no separate action was needed because a\n     process was already established that should ensure corrective action took place.\n     DCAA established an audit report quality review program in 1995 that included\n     the use of the Audit Report Checklist. The regions were required to review a\n     sample of reports and submit the results to DCAA headquarters semiannually.\n     DCAA summarized the results in an MRD that was provided to the regional\n     directors and the Director, Field Detachment. During the internal quality\n     assurance review of forward pricing assignments, DCAA used the Audit Report\n     Checklist to evaluate the quality of the 126 reports. DCAA found what they\n     considered to be significant noncompliances for the following six questions:\n\n         \xe2\x80\xa2   Question No. 1. Is the draft report cross-referenced to the working\n             papers?\n             19 occurrences (15.1 percent)\n\n         \xe2\x80\xa2   Question No. 9. Does the qualifications paragraph summarize the\n             adverse conditions having a significant impact on the conduct or audit\n             scope and reference the detailed explanation of the impact on the audit\n             results?\n             32 occurrences (25.4 percent)\n\n         \xe2\x80\xa2   Question No. 10. Does the results of audit paragraph express or\n             disclaim an overall audit opinion? (Several variations of the question\n             were present depending on the type of assignment being conducted.)\n             17 occurrences (13.5 percent)\n\n         \xe2\x80\xa2    Question No. 36. Does the results of audit section provide details on\n             the exit conference to include a description of the contractor\xe2\x80\x99s reaction\n             to the audit findings or refer to where the contractor\xe2\x80\x99s reaction is\n             discussed?\n             17 occurrences (13.5 percent)\n\n         \xe2\x80\xa2   Question No. 38. If required, does the \xe2\x80\x9cContractor Organization and\n             Systems\xe2\x80\x9d section provide information on the contractor\xe2\x80\x99s organization\n             and systems, or refer to a prior report or other correspondence where\n             information was provided?\n             16 occurrences (12.7 percent)\n\n         \xe2\x80\xa2   Question No. 40. Are the appropriate restrictions on release of the\n             audit report and any attachments included on the \xe2\x80\x9cAudit Report\n             Distribution and Restrictions\xe2\x80\x9d page?\n             16 occurrences (12.7 percent)\n\n     DCAA determined that they did not need to propose corrective action to reduce\n     future occurrences of cited noncompliances because the regions and the FAOs\n     were already required to meet the strategic plan objective of, \xe2\x80\x9cBy calendar year\n     1999, 2000, and 2001, improve audit report quality by increasing \xe2\x80\x98zero error\xe2\x80\x99\n                                        21\n\x0c    audit reports to 75%, 85%, and 95% respectively.\xe2\x80\x9d For calendar year 1999,\n    DCAA determined that the \xe2\x80\x9czero error\xe2\x80\x9d rate was 73.4 percent and for calendar\n    year 2000 the rate was 80.6 percent. However, for the 126 forward pricing\n    reports reviewed, DCAA found that 34 (27.0 percent) reports had zero errors.\n\n    Supervision. DCAA identified issues related to the supervision of assignments,\n    but determined that no corrective action was needed because a process was\n    being established to ensure that corrective action took place. DCAA found that\n    most of the audits with significant problems (technical/compliance related or\n    unjustified hours or rework) lacked the minimum documentation indicating\n    supervisory involvement. Specifically, DCAA found that supervisors were not\n    signing (approving) risk assessments and audit program steps prior to the\n    performance of the audit steps and were not signing (approving) summary\n    working papers prior to issuance of the audit report. In addition, DCAA found\n    instances where working paper files were not put together, audit programs or\n    key elements were missing from the working papers, or the working papers did\n    not support the number of hours expended on the audit or the type of report\n    issued. DCAA anticipated that the new supervisory documentation requirements\n    resulting from implementation of the Audit Planning and Performance System\n    (APPS) would resolve those issues. APPS is an automated working paper\n    package that includes standard audit programs and standard report formats for\n    various types of assignments. In addition, DCAA required that the regions and\n    Field Detachment place renewed management emphasis and attention on\n    supervision.\n\n\n\nCorrective Actions Completed\n    Risk Assessments. DCAA identified an issue related to preparing adequate risk\n    assessments and took corrective action. Specifically, DCAA determined that\n    auditors preparing risk assessments for forward pricing assignments did not\n    always:\n        \xe2\x80\xa2   set control risk properly or link it to the level of substantive testing\n            performed,\n\n        \xe2\x80\xa2   determine how prior findings would impact the current audit,\n\n        \xe2\x80\xa2   consider the materiality of a proposal in total and by cost element, or\n\n        \xe2\x80\xa2   consider the proposal type and how it would affect the audit scope.\n\n    To resolve those issues, DCAA developed a revised format for risk assessments,\n    released in April 2000, and a presentation package on preparing adequate risk\n    assessments for price proposals. In addition, DCAA revised the standard audit\n    programs by adding preliminary audit steps to complete a risk assessment and to\n    coordinate with contracting officers to ensure an understanding of the audit\n    request. Also, DCAA presented briefings on the new risk assessment format in\n    May 2000 and provided training sessions beginning in September through\n                                        22\n\x0c    November 2000. Initially, DCAA was requiring the RQAs to assess the\n    effectiveness and adequacy of the revised risk assessments and to present the\n    results at the June 2001 ESC meeting. However, at the December 2000 ESC\n    meeting, DCAA extended the deadline to the September 2001 ESC meeting.\n\n    Setting Up Audit Assignments. DCAA identified an issue related to setting up\n    audit assignments and took corrective action. Specifically, when receiving\n    conflicting requests involving the audit or review of a proposal or an element of\n    a proposal, the auditors did not contact the procurement officials to clarify the\n    extent of audit work needed before setting up the assignments. As a result,\n    assignments were established and work was performed that may not have met\n    the needs of the procurement officials. In the December 1999 briefing to the\n    ESC, DCAA proposed corrective action of establishing a team to research audit\n    assignment issues and to provide clarifying guidance by April 14, 2000. On\n    March 8, 2001, DCAA issued DCAA MRD 01-PPD-020(R), \xe2\x80\x9cClarification of\n    Guidance on Coordination of PCO [procuring contracting officer] Request for\n    Field Pricing Support,\xe2\x80\x9d which provided supplemental explanation of guidance in\n    the CAM.\n\n\n\nCorrective Action Completed but Potential for Improvement\n  Exists\n    DCAA identified an issue related to the delegation of authority to sign audit\n    reports and took corrective action. DCAA Regulation 5600.1, \xe2\x80\x9cDelegation of\n    Signature Authority,\xe2\x80\x9d November 27, 1995, authorized an FAO manager or\n    resident auditor to redelegate the authority to sign any type of audit report, no\n    matter how sensitive, to the supervisory auditor. DCAA found that regional\n    audit managers and FAO managers were routinely delegating the authority to\n    sign the more significant and sensitive reports to supervisory auditors. To\n    correct that deficiency, DCAA issued a revised DCAA Regulation 5600.1,\n    \xe2\x80\x9cDelegation of Signature Authority for Audit Reports and Other Audit Related\n    Documents,\xe2\x80\x9d June 28, 2000. Under the revised regulation, the FAO manager is\n    not authorized to delegate authority to sign reports for various type of audits\n    including:\n\n        \xe2\x80\xa2   forward pricing audits when total dollars examined is $100 million or\n            more or costs questioned are $1 million or more or exceed 10 percent of\n            the dollars examined;\n\n        \xe2\x80\xa2   incurred cost audits when the total dollars examined are $80 million or\n            more or when costs questioned are $1 million or more or exceed\n            5 percent of the dollars examined;\n\n        \xe2\x80\xa2   internal control audits with system opinion of inadequate or inadequate\n            in part;\n\n        \xe2\x80\xa2   operations audits with recommended cost avoidance;\n                                       23\n\x0c             \xe2\x80\xa2    restructuring rate proposal audits;\n\n             \xe2\x80\xa2    terminations or other claims; and\n\n             \xe2\x80\xa2    audits pertaining to sensitive, controversial, complex, unusual, or\n                  significant matters.\n\n        The revised regulation corrected the identified issue. However, the revised\n        regulation did not correct another previously existing deficiency. The revised\n        regulation, like the previous version, allows a supervisory auditor, as acting\n        FAO manager, to sign his own audit reports on issues listed above. That\n        management control deficiency occurs because the revised regulation continues\n        to grant acting FAO managers the same signature authority as FAO managers\n        without that authority being considered a redelegation. Therefore, audits that\n        DCAA determined to be significant or sensitive and subject to review by the\n        FAO manager are not being reviewed by someone independent of the\n        supervisory auditor when that supervisory auditor is the acting FAO manager.\n        An independent review of audit reports provides a needed quality control over\n        the audit logic and helps ensure the integrity of the audit reports. As a result of\n        supervisors signing their own audit reports without an independent review when\n        acting as FAO manager, the risk of sensitive or significant audit reports being\n        issued with errors is increased in comparison to when such reports are issued\n        after an independent or FAO manager review.\n\n\n\nCorrective Actions Initiated\n        Documenting Reliance on Data From Computer-Based Systems. DCAA\n        identified an issue related to properly documenting reliance on data from\n        computer-based systems and has established an action item for the corrective\n        action. Specifically, DCAA found that auditors reviewing price proposals from\n        nonmajor11 contractors did not obtain adequate evidence about the reliability of\n        data from computer-based systems or did not document that they had obtained\n        any evidence, and were not specifically required by DCAA guidance to do so.\n        In the December 1999 briefing to the ESC, DCAA proposed corrective action\n        for determining if and how DCAA guidance should be modified to suit the type\n        of audits they perform and to issue clarifying guidance as appropriate by\n        April 14, 2000. The ESC approved the proposed corrective action and\n        established action item E99-12-13. However, as of September 2001, no\n        clarifying guidance has been presented to the ESC or issued. The issue that\n        DCAA identified during its internal quality assurance review and the corrective\n        action proposed will not fully correct the issue found during our external\n        review. See Finding C for a discussion of this issue.\n\n\n11\n A nonmajor contractor is a contractor where DCAA has less than $80 million of contractor costs to\n audit in one fiscal year. The cognizant DCAA office can decide, based on the significance of an\n internal control system, whether to perform an internal control system review of a nonmajor contractor.\n\n                                                  24\n\x0c   Audit Execution Issues at the Regional and Field Detachment Level. DCAA\n   identified areas for improvement for which the regions and Field Detachment\n   managers were required to submit corrective action plans. The corrective action\n   plans have been submitted but have not yet been fully implemented.\n   Specifically, DCAA identified the following issues in addition to supervision\n   discussed above.\n\n           Auditor Support of Cost Realism Exercises. The auditors were not\n   coordinating with the cognizant procurement liaison auditors when customers\n   insisted on full audits for clear cost realism exercises.\n\n          Need for Technical Specialist Assistance. Some auditors and\n   supervisory auditors were not following the policy to end routine/automatic\n   requests for technical assistance.\n\n           Understanding Internal Controls and Documentation Thereof. Some\n   FAOs did not have an internal control questionnaire or Internal Control Audit\n   Planning Summary (ICAPS) forms that were reasonably complete or up to date.\n   In addition, individual assignment working papers did not contain appropriate\n   references or use of internal control questionnaires or ICAPS.\n\n          Redelegation of Signature Authority. Some supervisory auditors did\n   not comply with regional and FAO redelegation of signature authority.\n\n   To resolve the issues, at the December 1999 ESC meeting DCAA established\n   Action Item E99-12-14 that required the regional and Field Detachment\n   management to analyze region results and to develop action plans by April 30,\n   2000. All of the action plans were submitted to the Director, DCAA, before\n   April 30, 2000. At the March 2001 ESC meeting, DCAA established a\n   milestone to \xe2\x80\x9cImplement previously established regional action plans resulting\n   from improvement areas identified by FY 1999 PCIE-based reviews\xe2\x80\x9d by\n   May 2001. In addition, DCAA established a milestone to \xe2\x80\x9cBrief ESC on status\n   of progress on previously established regional action plans resulting from\n   improvement areas identified by FY 1999 PCIE-based reviews\xe2\x80\x9d in\n   December 2001.\n\n\n\nSummary\n   The review of forward pricing assignments was the first DCAA internal quality\n   assurance review. As such, DCAA did a credible job identifying several\n   significant areas for improvement that required corrective action. However,\n   DCAA has not implemented all of the proposed corrective actions. To\n   maximize the potential for improvements from internal quality assurance\n   reviews, DCAA should implement the corrective actions proposed by the\n   headquarters Quality Assurance Division and approved by the ESC in a timely\n   manner.\n\n\n                                      25\n\x0cRecommendations, Management Comments, and Evaluation\n  Response\n    B. We recommend that the Director, Defense Contract Audit Agency:\n\n            1. Revise Defense Contract Audit Agency Regulation 5600.1,\n    \xe2\x80\x9cDelegation of Signature Authority for Audit Reports and Other Audit\n    Related Documents,\xe2\x80\x9d June 28, 2000, so that supervisory auditors, acting as\n    field audit office managers, cannot sign reports on audit assignments they\n    supervised.\n\n    Management Comments. DCAA nonconcurred. Revising the policy to\n    preclude an acting FAO manager from signing his or her own reports when\n    required by the circumstances would further complicate an already complex\n    policy without significant benefit. In addition, DCAA stated that only the most\n    qualified supervisors should be designated to act as FAO managers and that less\n    qualified supervisors should not be given the final authority to sign audit reports\n    simply because they had no involvement with a particular audit. Also, DCAA\n    stated that if data from future reviews indicate significantly more errors\n    associated with reports signed out by acting FAO managers, DCAA will\n    appropriately revisit its signature authorization policy.\n\n    Evaluation Response. DCAA misunderstands the nature of the management\n    control weakness that we identified. A signature on an audit report is an\n    indication that the report was reviewed by someone other than the supervisory\n    auditor. Requiring the independent review of audit reports deemed sensitive by\n    DCAA management is an extremely important management control procedure\n    and will, in turn, assist DCAA in meeting its strategic plan goal of increasing\n    the \xe2\x80\x9czero error\xe2\x80\x9d rate for audit reports.\n\n    General Accounting Office Guide GAO/OP-4.1.6 states that an independent\n    verification of the evidence supporting the product and review of the product\n    can help ensure quality. Independent verification of the evidence, also known as\n    referencing, is done by a person who is independent, objective, and experienced\n    to verify whether facts and figures are correctly reported and that findings are\n    adequately supported by the facts in the working papers. A product review\n    helps ensure that higher level managers are satisfied with the overall quality of\n    the product and that the message is sound, addresses the objectives, meets the\n    customer\xe2\x80\x99s needs, and is consistent with results in previous reports. However,\n    DCAA does not require any region or FAO to perform a reference review of\n    any audit report. In addition, DCAA does not require that every report be\n    subject to a product review. DCAA has, however, granted the regions and\n    FAOs the authority to conduct peer reviews of specific types of reports if\n    desired. Therefore, review and signature by someone other than the audit\n    supervisor is critical to ensure a quality product.\n\n    Finally, we do not consider the revised policy to be overly complex or difficult\n    to implement. Our recommendation does not specify what alternative\n    procedures DCAA should use in these circumstances. Formally designating\n\n                                        26\n\x0c        more than one acting FAO manager for report signing purposes is only one\n        possibility. Unless an independent peer review is performed, a signature on an\n        audit report by someone other than the supervisory auditor is the minimum\n        indication of a product review, and, therefore an indication that the report meets\n        the GAS standards for quality. We request that DCAA reconsider its position\n        and provide comments to the final report.\n\n              2. Issue the clarifying guidance for documenting reliance on data\n        from computer-based systems.\n\n        Management Comments. DCAA concurred, stating that they would issue new\n        guidance on when and how DCAA audits of nonmajor contractors should obtain\n        and appropriately document adequate evidence on the reliability of the\n        contractor\xe2\x80\x99s computer-based data by November 30, 2001.12\n\n\n\n\n12\n DCAA established April 14, 2000, as the initial milestone date for issuing this guidance. However, at\n the December 2000 ESC meeting, DCAA revised the milestone date to January 31, 2001. At the\n March 2001 ESC meeting, DCAA revised the milestone date to May 31, 2001. In the DCAA\n comments to a draft of this report, DCAA stated that they planned to issue the guidance by\n September 30, 2001. However, at the September 2001 ESC meeting, DCAA again revised the\n milestone date to November 30, 2001.\n                                                  27\n\x0c           C. Implementation of the Internal\n              Quality Assurance Review of\n              Forward Pricing Assignments\n           DCAA primarily used the DCAA Checklist, FAO exit conference notes\n           and trip reports to document its internal quality assurance review of the\n           individual forward pricing assignments. However, the documents\n           generated by the quality assurance staff did not completely explain the\n           work performed or fully document conclusions reached. In addition,\n           DCAA did not fully evaluate whether the reviewed audits met certain\n           auditing standards. DCAA maintained limited documentation because\n           management determined that only exceptions needed supporting\n           documentation or explanations. The use of poorly worded checklist\n           questions; ill-defined criteria for evaluating audit work; and incomplete\n           guidance for assessing noncompliances, illegal acts, and other\n           irregularities impacted the complete evaluation of certain auditing\n           standards. DCAA needs to take corrective action on the internal quality\n           assurance reviews so an external reviewer can place maximum reliance\n           on the DCAA work when conducting oversight reviews. If DCAA\n           adequately documents the internal quality assurance reviews, the external\n           reviewers may use the results as direct evidence to support its overall\n           opinion of the internal quality assurance program.\n\n\n\nDocumentation of the Quality Assurance Reviews\n    DCAA needs to improve its documentation of work performed when conducting\n    internal quality assurance reviews. The DCAA quality assurance staff\n    documented the results of the internal quality assurance review by completing a\n    DCAA Checklist for each of the 126 assignments reviewed and writing exit\n    conference notes and a trip report summarizing the results of the review for\n    each of the 18 FAOs visited (7 assignments per FAO). As supporting\n    documentation, the quality assurance reviewers obtained a copy of the audit\n    report issued for each reviewed assignment, except for the four classified\n    reports, and copies of working papers that the reviewer decided were needed.\n    The working papers that the reviewers copied varied from none of the audit file\n    to most of the audit file depending on how the reviewer completed the DCAA\n    Checklist. DCAA generally maintained limited documentation because\n    management determined that only exceptions to DCAA Checklist questions\n    needed supporting documentation or explanations.\n\n    DCAA used the PCIE Guide as the primary framework for conducting its\n    internal review and believed that this was the most critical factor for ensuring\n    that an external reviewer could place maximum reliance on the results. The\n    PCIE Guide requires that:\n\n\n                                        28\n\x0c          Competent evidential matter should be gathered. . . . Working papers\n          should be prepared to document the work performed and the\n          conclusions reached during the review. . . . The review team should\n          exercise due professional care and sound professional judgment in all\n          matters relating to planning, performing, and reporting the results.\n\nThe quality assurance documentation and supporting FAO working papers used\nby the quality assurance staff did not sufficiently document the work performed\nor all the conclusions reached during the review. To complete our evaluation of\nthe internal quality assurance review of forward pricing assignments, we had to\nspend considerable time discussing each completed DCAA Checklist that we\nreviewed with the quality assurance staff. For some assignments, we had to\ndiscuss the audit with the FAO to complete the checklist questions. The\nadequacy of the internal quality assurance review documentation directly affects\nthe extent to which an external reviewer can rely on the DCAA quality\nassurance program.\n\nDocumentation Supporting the DCAA Checklists. DCAA did not maintain\nsufficient documentation to support its conclusions on the DCAA Checklists.\nWhen planning the review, DCAA decided to obtain supporting documentation\nfor only \xe2\x80\x9cno\xe2\x80\x9d answers to DCAA Checklist questions because \xe2\x80\x9cno\xe2\x80\x9d answers\nindicate a deficiency. The DCAA Checklist also contains a column for\ncomments to each question; however, the reviewers did not always make\ncomments. Without the comments, we were unable to evaluate the reviewer\xe2\x80\x99s\nrationale for their responses without retesting and drawing our own conclusions.\nFor 6 of the 21 DCAA Checklists that we retested, the DCAA quality assurance\nreviewers had adequately cross-referenced to applicable FAO working papers or\nprovided appropriate notes in the comment column. We were generally able to\nuse the information provided on the 6 checklists to understand reviewer\nrationale for conclusions. DCAA explained that, if the quality assurance\nreviewers were required to meaningfully document all of the \xe2\x80\x9cyes\xe2\x80\x9d answers,\nthen DCAA would have to \xe2\x80\x9csignificantly cut back on the number of audits\nreviewed.\xe2\x80\x9d According to DCAA, \xe2\x80\x9cthe fewer audits reviewed, the less\nmeaningful the results and the less likely existing problems/noncompliances will\nbe accurately identified and satisfactorily addressed.\xe2\x80\x9d\n\nWhen evaluating the adequacy of an internal quality assurance review, the\nexternal reviewer has to consider responses to all questions no matter whether\nthe answer is \xe2\x80\x9cno,\xe2\x80\x9d \xe2\x80\x9cyes,\xe2\x80\x9d or \xe2\x80\x9cnot applicable.\xe2\x80\x9d DCAA stated that because of\nthe general nature of many of the checklist questions, \xe2\x80\x9cproviding genuinely\nuseful and meaningful (i.e. substance over form) documentation for the \xe2\x80\x98yes\xe2\x80\x99\nresponses would be very time consuming.\xe2\x80\x9d In addition, DCAA believes that\n\xe2\x80\x9cmany of the key questions cannot be dealt with simply by reviewing and\nreferencing a single working paper or working paper section.\xe2\x80\x9d The PCIE Guide\nrecommends that competent evidential matter be gathered and, where\napplicable, sufficient testing be accomplished to determine whether the\norganization is in compliance with applicable auditing standards, policies, and\nprocedures. Evidence includes documentation for \xe2\x80\x9cyes\xe2\x80\x9d answers. The\ndocumentation for \xe2\x80\x9cyes\xe2\x80\x9d and \xe2\x80\x9cnot applicable\xe2\x80\x9d answers would not be as\nextensive as the documentation for \xe2\x80\x9cno\xe2\x80\x9d answers. The documentation could\nconsist of brief notes in the comments section of the DCAA Checklist or a\n                                      29\n\x0c     predetermined set of criteria for a \xe2\x80\x9cyes\xe2\x80\x9d answer. In addition, tailoring the\n     questions to more specifically address the way DCAA operates would help\n     improve documentation and reduce the time needed to document reviewer\n     conclusions. Additional documentation should not negatively impact the number\n     of FAOs or assignments reviewed. Documentation is the key for an external\n     reviewer being able to rely on DCAA work.\n\n     Cross-Referencing the Internal Quality Assurance Review Reports. DCAA\n     wrote a trip report in the form of a Memorandum For Record for each of the\n     18 reviewed FAOs. The trip report summarized the major findings of the\n     internal quality assurance review at that FAO and included an enclosure that\n     summarized the DCAA Checklist answers by reviewed assignment. The major\n     conditions discussed referenced the applicable reviewed assignment and the\n     DCAA Checklist question, if pertinent. DCAA was not required to, and did\n     not, cross-reference the 18 trip reports to the supporting quality assurance\n     documents. Cross-referencing the trip report to the actual quality assurance\n     documents would establish an audit trail showing that all facts in the trip report\n     are supported by the quality assurance documents. Cross-referencing the report\n     to the actual supporting working papers is a generally accepted practice. In\n     fact, CAM 4-403(i)(3) provides guidance on cross-referencing that includes the\n     requirement to cross-reference the summary results and notes in a DCAA draft\n     report to the DCAA summary and lead working papers.\n\n     External Reviewer Reliance on DCAA Internal Quality Assurance Review\n     Documentation. The DCAA working papers that support its internal quality\n     assurance reviews must contain sufficient evidence to support each auditor\n     conclusion for an external reviewer to place maximum reliance on the work.\n     Although DCAA is not required to follow the CAM when conducting internal\n     quality assurance reviews, proper cross-referencing would facilitate identifying\n     supporting documentation for significant auditor conclusions. Because of\n     inadequate comments, cross-referencing, and documentation we did not rely on\n     the working papers when conducting our review. We retested the validity of the\n     results of the DCAA internal quality assurance review of forward pricing\n     assignments by judgmentally selecting three FAOs and evaluating the same\n     seven assignments at each FAO that DCAA initially reviewed using the DCAA\n     Checklist. Better documentation will allow the external reviewer to rely to a\n     greater extent on the DCAA results. That reliance, in turn, will reduce the staff\n     time that both agencies will have to expend on the reviews.\n\n\n\nAssessment of Internal Quality Assurance Review Results for\n  Forward Pricing Assignments\n     DCAA used the questions from the PCIE Checklist as the starting point for\n     formulating the DCAA Checklist. DCAA revised 24 of the PCIE Checklist F\n     questions because those questions did not specifically pertain to the DCAA audit\n     environment. Of the 24 revised questions, DCAA significantly changed 5.\n     DCAA used the DCAA Checklist questions to evaluate whether the selected\n\n                                         30\n\x0caudit assignments met the auditing standards and complied with agency policy\nand procedures. The DCAA Checklist, dated July 9, 1999, contained eight\nsections that roughly equate to the various GAS. In total, the DCAA Checklist\nhad 49 questions. Of the 49 questions, we identified 8 that, as implemented,\nimpacted the complete evaluation of certain auditing standards. That situation\noccurred because of the use of poorly worded checklist questions; ill-defined\ncriteria for evaluating the evidence of audit work; and incomplete guidance for\nassessing noncompliances, illegal acts, and other irregularities. The eight\nquestions need revision to ensure that DCAA properly assesses whether an audit\nmet that particular auditing standard. In addition, by tailoring the questions to\nevaluate compliance with standards based on the way DCAA operates, DCAA\nshould be able to more efficiently document its conclusions. The questions\nneeding improvement are quality control (one question); due professional care\n(two questions); data from computer-based systems (one question); internal\ncontrols (two questions); and noncompliances, illegal acts, and other\nirregularities (two questions). The question on quality control is addressed in\nFinding A, and DCAA has already revised the checklist question. In addition,\nwe determined that one question relating to report cross-referencing on the\nAudit Report Checklist and the related CAM guidance need revision.\n\nDue Professional Care. When DCAA evaluated compliance with due\nprofessional care, DCAA used questions 1.1 and 1.2 from PCIE Checklist F\nwithout adapting them for the way DCAA operates.\n           1.1 Did the auditors follow proper procedures when determining that\n           an applicable government auditing standard was not to be followed?\n\n           1.2 Did the auditors adequately document the determination that\n           certain government auditing standards did not apply?\n\nThose two questions only partially address whether auditors met the due\nprofessional care standard as defined by GAS. Proper consideration of whether\ndue professional care was exercised is required to adequately perform an\ninternal quality assurance review. Due professional care, according to GAS,\nmeans using sound judgment in establishing the scope, selecting the\nmethodology, and choosing the tests and procedures for the audit.\n\nDCAA generally agreed that the questions from the DCAA Checklist do not\nadequately address compliance with due professional care. In addition, we\nagree with DCAA that the questions should be answered after a complete review\nof the audit file and after all other questions are answered. Therefore, an\nadditional enhancement to the DCAA Checklist format would be to put\nquestions on due professional care at the end of the DCAA Checklist. At the\nexit conference for this review held on March 6, 2001, DCAA agreed to use the\nfollowing revised wording, \xe2\x80\x9cDid the auditors exercise due professional care in\nperforming the audit?\xe2\x80\x9d On the March 12, 2001, version of the DCAA\nChecklist, DCAA eliminated question 1.2 and adopted the wording above for\nquestion 1.1. DCAA made that change midway through its review of incurred\ncost audits (the third review). We recognize that DCAA reviewers applying the\ndue professional care standard have a wide variety of knowledge and audit\nexperience; therefore, to assist the reviewers in consistently applying the due\n                                      31\n\x0cprofessional care standard, DCAA should provide criteria so that variations in\napplying auditor judgment when answering this question, because of the\nindividual auditor\xe2\x80\x99s experience and expectations, can be minimized.\n\nReliability of Data from Computer-Based Systems. DCAA adapted the\nfollowing question from PCIE Checklist F and used it to evaluate compliance\nwith GAS 6.62 on reliability of data from computer-based systems.\n           5.3 If the data from computer-based systems was significant to\n           drawing audit conclusions, did the auditor obtain evidence about the\n           reliability of the data by either (a) determining that the validity of the\n           data was established in other DCAA audits or by other auditors, or\n           (b) directly testing the data. (The level of direct testing may be\n           reduced by testing the effectiveness of general and application\n           controls in the computer-based systems.)\n\n        Applicable Auditing Standards. GAS 6.62 requires that evidence\nsupporting the reliability of data be obtained. The auditor can either perform\nthe audit work to verify the reliability of the data or the auditor can rely on\nwork performed in other audit assignments. GAS 6.62 specifically addresses\nthe level of documentation needed when the reliability of data from\ncomputer-based systems is and is not a significant element of the finding.\n           Auditors should obtain sufficient, competent, and relevant evidence\n           that computer-processed data are valid and reliable when those data\n           are significant to the auditors\xe2\x80\x99 findings. This work is necessary\n           regardless of whether the data are provided to auditors or auditors\n           independently extract them. . . . When computer-processed data are\n           used by the auditors, or included in the report, for background or\n           informational purposes, and are not significant to the auditors\xe2\x80\x99\n           findings, citing the sources of the data and stating that they were not\n           verified will satisfy the reporting standards for accuracy and\n           completeness.\n\nIn addition, GAS requires that working papers contain sufficient information so\nthat an experienced auditor having no prior connection to the audit can\ndetermine from the working papers the evidence that supports the auditor\xe2\x80\x99s\nsignificant conclusions and judgments. We consider how the auditor complied\nwith GAS 6.62 to be significant. Therefore, if the auditor relied on data not\ncontained in the audit file for the assignment under review, the working paper\nreference must be specific enough for a reviewer to find the information.\n\n        How DCAA Answered the Question. According to the DCAA briefing\ncharts, \xe2\x80\x9cDecember 2000 ESC Briefing on DoDIG Evaluation of FY 1999 QA\n[quality assurance] Review Effort,\xe2\x80\x9d DCAA answered \xe2\x80\x9cyes\xe2\x80\x9d to question 5.3,\n\xe2\x80\x9cif evidence was found in FAO permanent files that EDP [electronic data\nprocessing] controls were tested (even if not documented in WPs [working\npapers]).\xe2\x80\x9d\n\n        DCAA Review Results. DCAA concluded that the auditors adequately\ndocumented evidence of the reliability of data from computer-based systems on\n65 (51.6 percent) of the 126 assignments. In addition, DCAA determined that\nfor 17 (13.5 percent) of the audits reviewed that standard was not applicable.\n\n                                         32\n\x0cFor the 21 audits we test checked, DCAA answered \xe2\x80\x9cno\xe2\x80\x9d to question 5.3 in\n7 (33.3 percent) cases; \xe2\x80\x9cyes\xe2\x80\x9d in 12 (57.2 percent) cases; and \xe2\x80\x9cnot applicable\xe2\x80\x9d in\n2 (9.5 percent) cases.\n\n        External Review Results. We answered \xe2\x80\x9cno\xe2\x80\x9d to question 5.3 for\n16 (76.2 percent) of the 21 audits we retested. In addition, we determined that\n\xe2\x80\x9cnot applicable\xe2\x80\x9d only applied to one (4.8 percent) audit. We answered \xe2\x80\x9cno\xe2\x80\x9d\nmore frequently than DCAA because if another audit or permanent file was not\nproperly referenced in the reviewed audit files, we did not assume that the\nauditor knew that this review had been performed. In addition, if the auditor\ndid not document why, or it was not obvious why, the computer-process data\nwas not significant to the auditor\xe2\x80\x99s findings, we answered \xe2\x80\x9cno.\xe2\x80\x9d\n\n        Conclusions on External Review of Reliability of Computer-\nProcessed Data. By applying its criteria, DCAA did not assess whether the\nauditor performing the reviewed audit had obtained the required evidence about\ncomputer-processed data. Instead, DCAA assessed whether the FAO had\nperformed certain information system reviews. Therefore, DCAA did not\nadequately apply the criteria in GAS 6.62 to determine whether the auditor\nobtained sufficient, competent, and relevant evidence that computer-processed\ndata are valid and reliable. DCAA generally evaluates contractor internal\ncontrol systems, including general and application controls for information\nsystems, as separate audits when the internal control system is significant to the\ncontractor\xe2\x80\x99s operations. The audit work evaluating the reliability of\ncomputer-processed data would be documented in a separate audit file or\npermanent file maintained on that contractor. In that case, relying on the other\naudit to satisfy the requirements of GAS 6.62 requires proper referencing of the\nother work in the audit assignment. During performance of quality assurance\nreviews, audit files must provide all of the needed information so the audit files\ncan stand on their own.\n       Improvement Suggested. To improve the assessment of compliance\nwith GAS 6.62, DCAA needs to revise question 5.3 to make it a multipart\nquestion. The revision should ask whether the quality assurance reviewer\ndetermined whether:\n\n    \xe2\x80\xa2   the auditor properly determined if computer-processed data was\n        significant to his audit conclusions, and\n\n    \xe2\x80\xa2   the auditor appropriately documented that determination (significant or\n        not significant).\n\nIf the auditor determined that computer-processed data was significant to the\naudit conclusions, then the quality assurance reviewer must determine whether:\n\n    \xe2\x80\xa2   any auditor in the FAO conducted the appropriate audit work to\n        determine the reliability and validity of computer-processed data, and\n\n\n\n                                    33\n\x0c    \xe2\x80\xa2   the auditor on the forward pricing assignment being reviewed properly\n        documented the work performed by other auditors in the working\n        papers.\n\nIf the auditor determined that computer-processed data was significant to the\naudit conclusions and no auditor in the FAO conducted the appropriate audit\nwork to determine the reliability and validity of computer-processed data, then\nthe quality assurance reviewer must determine whether the auditor on the\nforward pricing assignment being reviewed:\n\n    \xe2\x80\xa2   adequately performed audit work during the forward pricing review to\n        verify computer-processed data, and\n\n    \xe2\x80\xa2   appropriately documented that work, if performed.\nUsing the multipart question should allow DCAA to quickly document the\nassessment of compliance with GAS 6.62. Once a complete assessment is\nperformed, determining what corrective action, if any, is needed and how to\nimplement the action will be much easier for DCAA.\n\nUnderstanding Internal Controls. DCAA adapted the following two questions\nfrom PCIE Checklist E and used them to evaluate compliance with GAS 4.21\nand 4.37 relating to understanding internal controls.\n           6.1 Did the auditors obtain an understanding of the internal controls\n           sufficient to plan the audit by performing procedures to understand\n           the design of controls relevant to the audit and whether they have\n           been placed in operations?\n           6.2 Did the auditors appropriately document their understanding of\n           the internal control components obtained to plan the audit?\n\n        Auditing Standards and Audit Guidance. Understanding internal\ncontrols, according to GAS 4.21, means obtaining a sufficient understanding of\ninternal controls to plan the audit and determine the nature, timing, and extent\nof tests to be performed. In addition, GAS 4.37 requires that working papers\nprovide written evidence supporting the auditor\xe2\x80\x99s significant conclusions and\njudgments. CAM 5-106 states that the first step in reviewing and evaluating a\ncontractor\xe2\x80\x99s internal controls is to obtain an understanding of the accounting and\nmanagement systems being reviewed. CAM 5-106 also emphasizes the\nrequirement that the auditor\xe2\x80\x99s understanding be documented.\n           Once the auditor has gained an adequate understanding of the\n           contractor\xe2\x80\x99s accounting and management systems, that understanding\n           should be documented in the audit working papers and related\n           permanent files. This documentation will typically take the form of\n           system flowcharts, narrative descriptions, and copies of relevant\n           documents and reports.       The method(s) used and extent of\n           documentation required are a matter of professional judgment.\n           However, the documentation should provide sufficient information to\n           communicate the auditor\xe2\x80\x99s understanding in a clear and summarized\n           manner.\n\n\n                                       34\n\x0c                Criteria Used by DCAA. When answering question 6.1 for audits of\n        major contractors,13 DCAA concluded the auditor had obtained an understanding\n        of internal controls when the FAO had completed current Internal Control Audit\n        Planning Summary (ICAPS) forms. For audits of nonmajor contractors, DCAA\n        answered \xe2\x80\x9cyes\xe2\x80\x9d to question 6.1 when the FAO had an up to date completed\n        Survey of Contractor\xe2\x80\x99s Organization, Accounting System, and System of\n        Internal Controls (SHORTICQ). DCAA used those forms to obtain an\n        understanding of a contractor\xe2\x80\x99s internal controls and to assess control risk. For\n        question 6.1 to be answered \xe2\x80\x9cyes,\xe2\x80\x9d the auditor did not have to include or\n        reference the appropriate form(s) in the audit file. The form(s) had only to be\n        available somewhere in the FAO files. For question 6.2 to be answered \xe2\x80\x9cyes,\xe2\x80\x9d\n        the auditor had to include or reference the appropriate form(s) in the audit\n        assignment file.\n\n               Results of DCAA Review. DCAA determined that the auditors for\n        108 (85.7 percent) of the 126 assignments obtained an understanding of the\n        contractor\xe2\x80\x99s internal controls for question 6.1. However, for question 6.2,\n        DCAA determined that the auditor appropriately documented that understanding\n        for only 74 (58.7 percent) of the 126 assignments. For the 21 audits that we test\n        checked, DCAA answered question 6.1 \xe2\x80\x9cyes\xe2\x80\x9d in 14 (66.6 percent) cases and\n        answered question 6.2 \xe2\x80\x9cyes\xe2\x80\x9d in 9 (42.9 percent) cases, a difference of 5 cases.\n\n               Results of External Review. We answered \xe2\x80\x9cno\xe2\x80\x9d to question 6.1 and\n        question 6.2 for 14 (66.6 percent) of the 21 audits we retested. We answered\n        \xe2\x80\x9cno\xe2\x80\x9d for both questions if the auditor did not include or reference the\n        appropriate internal control forms in the audit file or provide some other\n        information indicating a knowledge of the contractor\xe2\x80\x99s internal controls. The\n        only way to determine whether the auditor performing the audit had obtained an\n        understanding as required was through documentation that existed in the audit\n        file. Therefore, independent of any retesting, we concluded that DCAA\n        improperly assessed the auditor\xe2\x80\x99s compliance for 34 (27.0 percent) of the\n        126 assignments where DCAA answered question 6.1 \xe2\x80\x9cyes\xe2\x80\x9d and question 6.2\n        \xe2\x80\x9cno.\xe2\x80\x9d Of the 21 assignments that we retested, we identified 3 audits where\n        DCAA improperly applied its own criteria.\n\n               For the first audit, the DCAA reviewer answered both questions \xe2\x80\x9cno\xe2\x80\x9d\n        and noted in the comment column, \xe2\x80\x9cNo documentation in the workpaper file.\n        Estimating system and ICAP[S] reviews have been performed.\xe2\x80\x9d Based on the\n        comment and the DCAA criteria, question 6.1 should have been answered \xe2\x80\x9cyes\xe2\x80\x9d\n        and question 6.2 should have been answered \xe2\x80\x9cno.\xe2\x80\x9d\n\n               For the second audit, the DCAA reviewer incorrectly answered\n        question 6.1 \xe2\x80\x9cyes\xe2\x80\x9d based on the standard appendix to the audit report on the\n        contractor\xe2\x80\x99s organization and systems. The reviewer answered question 6.2\n        \xe2\x80\x9cno\xe2\x80\x9d commenting, \xe2\x80\x9cAssessment of control risk not documented in the audit file,\n        see 3.1.e above.\xe2\x80\x9d The information presented in the audit report was not\n        included in the audit file.\n\n13\n A major contractor is a contractor where DCAA has $80 million or more of contractor costs to audit in\n one fiscal year.\n                                                  35\n\x0c                For the third audit, the DCAA reviewer answered both questions \xe2\x80\x9cno;\xe2\x80\x9d\n        however, information in the audit assignment file clearly indicated that the\n        auditor had obtained information about the contractor\xe2\x80\x99s internal controls. The\n        auditor noted in the risk assessment that estimating and accounting system\n        reviews had been performed with no deficiencies identified but the SHORTICQ\n        was incomplete and outdated. For this audit, the auditor gathered the existing\n        information on the most applicable internal control systems and properly\n        documented the overall status of the internal control assessment. The FAO was\n        deficient in properly completing the required SHORTICQ.\n\n                Conclusion on External Review of Internal Controls. DCAA did not\n        adequately apply the criteria in GAS and CAM when assessing whether the\n        auditor performing the reviewed audit had obtained an understanding of internal\n        controls. Instead, DCAA assessed whether any auditors at the FAO had\n        obtained such an understanding. DCAA uses internal control system reviews14\n        of a major contractor as the basis for all other audit work at a major contractor.\n        DCAA uses the information on the SHORTICQ for a nonmajor contractor as the\n        basis for all other audit work at a nonmajor contractor. Therefore, it is\n        important that quality assurance reviewers assess the understanding of internal\n        controls for both the FAO (whether internal control system reviews have been\n        performed or SHORTICQs completed) and the auditor actually performing the\n        audit being reviewed (knowledge of the results of completed system reviews or\n        SHORTICQs and the effect on the current assignment).\n\n        In an effort to improve the assessment of understanding internal controls,\n        DCAA combined the two questions into one new question on the March 12,\n        2001, revision to the DCAA Checklist. The new question asks:\n                     6.1 For other than internal control audits, did the auditors: obtain\n                     and document an understanding of the applicable significant internal\n                     controls by performing procedures to understand the design of\n                     controls relevant to the audit and whether they have been placed in\n                     operation?\n\n        The revised question does not resolve our concerns. To fully evaluate\n        compliance with GAS and CAM, FAO and individual auditor compliance must\n        be assessed. The revised question requires one overall assessment of FAO and\n        the auditor knowledge. In addition, whether either FAO or auditor compliance\n        is properly documented in the appropriate audit file is another factor that should\n        be evaluated separately. Therefore, revised question 6.1 could make the\n        assessment of compliance with GAS and CAM more difficult than before.\n\n                Suggested Improvement. To improve its assessment of compliance\n        with GAS 4.21, DCAA should revise the questions on internal controls to more\n        specifically assess the information available at the FAO versus the knowledge\n        level of the auditor performing the reviewed assignment. Specifically, the\n        revised questions should assess:\n\n\n14\n Internal control system reviews are performed as separate audit assignments and can be accomplished\n by different auditors or audit teams.\n\n                                                 36\n\x0c          \xe2\x80\xa2     what information the FAO had on internal controls,\n\n          \xe2\x80\xa2     whether the FAO information was sufficiently documented,\n\n          \xe2\x80\xa2     what information the auditor performing the reviewed assignment\n                obtained on the internal controls, and\n\n          \xe2\x80\xa2     whether the auditor sufficiently documented that information in the\n                audit file.\n\nRevising the questions to distinguish between the information available at the\nFAO versus the knowledge obtained by the auditor will enhance the DCAA\nquality assurance review process by clarifying the nature of the identified\ndeficiency. That, in turn, will allow the headquarters Quality Assurance\nDivision to determine the root cause for the deficiency and recommend the most\nappropriate corrective action. In addition, the reviewer could more easily\ndocument compliance with the standard and appropriately credit the FAO for\nperforming the required internal control reviews.\n\nNoncompliances, Illegal Acts, and Other Irregularities. Current DCAA audit\nguidance for forward pricing assignments does not require the auditor to fully\nassess audit risk due to fraud or other illegal acts. Specifically, the DCAA\nstandard audit programs for forward pricing assignments do not include all the\naudit steps needed to properly implement GAS 6.26 and GAS 6.28 or Statement\non Auditing Standards (SAS) 82, \xe2\x80\x9cConsideration of Fraud in a Financial\nStatement Audit,\xe2\x80\x9d effective December 15, 1997. While SAS 82 specifically\napplies to financial statement audits, DCAA MRD 98-PAS-044(R), \xe2\x80\x9cAudit\nGuidance on SAS No. 82 \xe2\x80\x98Considering Fraud in a Financial Statement Audit\xe2\x80\x99,\xe2\x80\x9d\nMarch 26, 1998, states that many of the objectives of SAS 82 are applicable to\nthe DCAA financial-related audits and performance audits. Forward pricing\nreviews are considered financial-related audits. The MRD summarizes the\nrequirements of SAS 82 and discusses the impact of the standard on DCAA\naudits. SAS 82 requires auditors to assess the risk of material misstatement that\nare the result of fraud, and specifically, to plan and perform audits that will\nobtain reasonable assurance about whether the financial statements are free of\nmaterial misstatement, whether caused by error or fraud. CAM 4-702.3\nrequires that:\n              The auditor should specifically assess the risk of material\n              misstatement due to fraud and should consider that assessment in\n              designing the audit procedures to be performed. Effective audit risk\n              assessments and audits of internal controls are useful procedures for\n              assessing risk of fraud against the government. Proper execution of\n              audit programs together with adequate tests of contractor internal\n              control systems should provide reasonable assurance that significant\n              fraudulent and other unlawful practices are detected.\n\nIn addition, GAS 6.26 states that for all performance audits, auditors should be\nalert to situations or transactions that could be indicative of illegal acts or abuse.\nGAS 6.28 also requires that:\n\n\n                                          37\n\x0c           Auditors should design the audit to provide reasonable assurance\n           about compliance with laws and regulations that are significant to\n           audit objectives. This requires determining if laws and regulations\n           are significant to the audit objectives and, if they are, assessing the\n           risk that significant illegal acts could occur. Based on the risk\n           assessment, the auditors design and perform procedures to provide\n           reasonable assurance of detecting significant illegal acts.\n\n         Extent of DCAA Review. When performing the reviews of forward\npricing assignments, DCAA only identified a deficiency if documentation was\npresent in the working papers, indicating that a potential fraud or illegal act may\nhave occurred and the auditor did not identify it as such. In addition, DCAA\ndid not identify a deficiency if noncompliances were considered, even though\nillegal acts were not. Without proper documentation, DCAA has no assurance\nthat its auditors are adequately assessing the risk of fraud or other illegal acts.\nDCAA has stated that the risk of fraud is generally inherently less in pre-award\naudits because fraud requires that the Government be harmed and the\nGovernment cannot be harmed until contract award.\n\nTo improve compliance with GAS, DCAA should add audit steps:\n\n    \xe2\x80\xa2   to the preliminary risk assessment that require the auditor to consider\n        the risk of fraud or other illegal acts;\n\n    \xe2\x80\xa2   to address situations where the potential for fraud exists and to evaluate\n        its impact on the audit objectives and scope; and\n\n    \xe2\x80\xa2   to document whether anything came to the auditor\xe2\x80\x99s attention during the\n        audit that would indicate that fraud or illegal acts occurred and that the\n        auditor took appropriate action.\n\nIncluding those audit steps in the standard audit programs should provide DCAA\nwith reasonable assurance that DCAA auditors are adequately assessing the risk\nof fraud and will properly implement GAS and the intent of SAS 82. In\naddition, the documentation required by the additional audit steps will allow\nquality assurance reviewers to properly assess whether GAS 6.26 and 6.28 were\ncomplied with. In comments on a discussion draft of the report, DCAA stated,\n           DCAA believes its position to date has been reasonable. . . . The IG\xe2\x80\x99s\n           position also has merit. . . . DCAA will therefore, reconsider its\n           position and review each of its forward pricing audit programs to\n           determine where it might best add appropriate steps to more directly\n           cover SAS 82 concerns.\n\nCross-Referencing Reports. The relationship between the working papers and\nthe audit report is addressed in GAS 6.46 and GAS 7.55. DCAA used the\nfollowing question from the Audit Report Checklist to determine whether the\naudit reports were properly cross-referenced to the working paper files.\n           1. Is the draft report cross referenced to the working papers?\n\n\n\n\n                                        38\n\x0cThe DCAA quality assurance review addressed GAS 6.46 in question 5.1.a of\nthe DCAA Checklist.\n           5.1 Do the working papers document that the auditors obtained:\n\n                a. Sufficient, competent, and relevant evidence to support\n           findings, judgments, and conclusions in the report?\n\nCross-referencing of a draft report to the working papers allows an external\nreviewer to easily track the significant information in the report back to the\npertinent working papers.\n\n        Pertinent Audit Guidance. GAS 7.55 states that a report should\ninclude only information, findings, and conclusions supported by competent and\nrelevant evidence in the working papers. CAM 10-104.11 states, \xe2\x80\x9cThe draft\nreport should always be cross referenced to the working papers. This ensures\nthat the audit conclusions are supported and are easily found.\xe2\x80\x9d\nCAM 4-403(i)(3) provides guidance on the extent to which the draft report\nneeds to be cross-referenced to the working papers. \xe2\x80\x9cAs a minimum, reference\nthe following: The summary results and notes in the draft audit report to the\nsummary and lead working papers.\xe2\x80\x9d However, the guidance is not sufficient to\nensure that all information, findings, and significant conclusions in forward\npricing assignment reports were supported by competent and relevant evidence\nin the working papers. Sections of DCAA audit reports, such as scope and\nqualifications, contain standard language that does not need to be\ncross-referenced. Those sections can also contain information that is unique to\nthe assignment; however, the existing CAM guidance does not require that the\nunique information in the subject, executive summary (significant issues), scope,\nqualifications, or contractor organizations and systems information be\ncross-referenced. Proper cross-referencing of the draft report to working papers\nalso helps ensure compliance with GAS 6.46, which requires that, \xe2\x80\x9cSufficient,\ncompetent, and relevant evidence is to be obtained to afford a reasonable basis\nfor the auditors\xe2\x80\x99 findings and conclusions.\xe2\x80\x9d Therefore, the criteria that DCAA\nused to determine the adequacy of the cross-referencing needs to be revised to\ninclude all significant report elements.\n\n       Results of DCAA Review on Cross-Referencing Reports. DCAA\ndetermined that for 19 (15.1 percent) of 126 audits reviewed, the draft report\nwas not properly cross-referenced to the working papers in accordance with\nCAM guidance. Additionally, DCAA answered \xe2\x80\x9cno\xe2\x80\x9d to question 5.1.a for 13\n(10.3 percent) out of the 126 audits.\n\n        Oversight Review Results on Cross-Referencing Reports. Using the\ncriteria in GAS 6.46 and GAS 7.55, we determined that 16 (76.2 percent) of the\n21 audit reports were not sufficiently cross-referenced to the working papers.\nDepending on the content of a report, the information that CAM does not\nrequire to be cross-referenced may be crucial to understanding the results of the\naudit. For example, at one FAO we visited, the report for an assist audit of\nforward pricing bid rates contained information in the \xe2\x80\x9cContractor\xe2\x80\x99s\nOrganization and System\xe2\x80\x9d section about two contractors that had merged, one of\nwhom became business units within the other. Although the section cited\n                                     39\n\x0c    previous audits on six internal control systems, the report did not contain\n    sufficient information to determine whether the results of the six system reviews\n    applied to the pre-merger or post-merger contractors or to the business unit\n    under audit. In addition, a note in the report stated that all references to the old\n    contractor had been replaced with references to the new contractor. Also, none\n    of the information presented was cross-referenced to the working papers;\n    therefore, the reviewer had no way to assess whether the information presented\n    in the report was accurate and up to date. In another case, DCAA and we noted\n    that the report had not been cross-referenced to the working papers and that the\n    working paper documentation was not adequate for this audit. In addition, we\n    answered question 5.1.a \xe2\x80\x9cno.\xe2\x80\x9d The supervisor had changed the report findings\n    and instructed the auditor to adjust the working papers accordingly. The auditor\n    did not revise the working papers sufficiently so that we could track the draft\n    report findings back to the working papers. Therefore, we could not determine\n    the adequacy of the work performed. Complete cross-referencing of the report\n    to supporting working papers and other files help ensure the factual accuracy of\n    the report\xe2\x80\x99s content.\n\n            Needed Improvements. Revising the checklist question on\n    cross-referencing would improve DCAA assessments of whether reviewed\n    audits comply with GAS 6.46 and GAS 7.55. The checklist question and CAM\n    guidance should include all of the requirements of GAS 7.55. The CAM\n    revisions should also help emphasize to the audit staff the importance of proper\n    report cross-referencing and ensure audit report quality.\n\n\n\nUse of Rating System\n    Ratings. DCAA established an overall FAO rating to show FAOs that an FAO\n    could \xe2\x80\x9cpass\xe2\x80\x9d an internal quality assurance review. For the internal quality\n    assurance review of forward pricing assignments, DCAA did not develop a\n    performance goal or performance indicators. Instead, DCAA used a subjective\n    rating system to describe the overall performance of its FAOs. DCAA used the\n    following two ratings.\n\n        \xe2\x80\xa2   High \xe2\x80\x93 As good as we can reasonably expect and no followup necessary\n\n        \xe2\x80\xa2   Satisfactory \xe2\x80\x93 Corrective action plans obtained and the regions are\n            required to conduct followup to ensure that plans have been effectively\n            implemented\n\n    DCAA did not develop criteria for objectively measuring FAO performance to\n    assign either of the two ratings. Instead, DCAA, using the results of the DCAA\n    Checklist reviews, subjectively decided which ones they felt were operating at a\n    high level versus a satisfactory level. DCAA decided to rate 8 of the FAOs as\n    high and 10 of the FAOs as satisfactory.\n\n\n\n                                         40\n\x0c   Performance goals should be objective, quantifiable, and measurable. In\n   addition, the measurement criteria should be established prior to conducting the\n   review to ensure proper implementation of the rating process. Merely\n   comparing the performance of one FAO against another does not provide any\n   information on whether either FAO is meeting agency performance goals and\n   can result in inconsistent ratings. For example, DCAA rated one of the FAOs\n   we visited as operating at a high level of compliance even though DCAA found\n   that one of the seven assignments reviewed did not meet the due professional\n   care standard. DCAA determined that \xe2\x80\x9cas good as we can reasonably expect\xe2\x80\x9d\n   or a high level of compliance equates to one out of seven FAO audits failing to\n   comply with the due professional care standard. Because of the overall\n   importance of complying with this standard, at the very least a high rating\n   should indicate that all reviewed assignments met that particular standard. On\n   the other hand, another FAO was rated as satisfactory, even though DCAA\n   found that all of the seven assignments reviewed met the due professional care\n   standard. In the trip report for that FAO, DCAA addressed issues related to\n   using the incorrect standard audit program and insufficient supervisory auditor\n   involvement. Without establishing criteria, reviewers cannot use the rating\n   system to accurately describe whether an FAO is meeting agency performance\n   goals or how significant the noncompliances are in relation to the overall quality\n   assurance program.\n\n   Strategic Goal. In an effort to formalize the internal quality assurance review\n   process, DCAA developed a new goal for its strategic plan that requires, \xe2\x80\x9cBy\n   FY 2002, increase the number of FAOs found to be at a \xe2\x80\x98high level\xe2\x80\x99 of\n   compliance in DCAA\xe2\x80\x99s PCIE reviews to 70% in the forward pricing audit\n   area.\xe2\x80\x9d The metric DCAA plans to use for that measure is the percentage of\n   FAOs at a high level of compliance as determined in the FY 2002 PCIE-based\n   quality assurance reviews.\n   The Government Performance and Results Act of 1993 recommends that\n   performance goals be objective, quantifiable, and measurable and that\n   performance indicators be used for measuring or assessing the relevant outputs,\n   service levels, and outcomes of each activity. Strategic plan goals are covered\n   by the Government Performance and Results Act. Therefore, if a similarly\n   subjective process is used to determine if the goal is met, then the process will\n   not meet the requirements of the Government Performance and Results Act. In\n   addition, DCAA is still assigning an overall FAO rating based on only one type\n   of assignment.\n\n\n\nSummary\n   The goal of an organization\xe2\x80\x99s internal quality control system is to provide\n   reasonable assurance that established policies and procedures and applicable\n   auditing standards are being followed. To ensure an accurate evaluation of the\n   quality of the work performed, reviewers, both internal and external, should\n   independently evaluate compliance with each auditing standard when reviewing\n\n                                       41\n\x0c    working paper files. The key to adequately evaluating compliance with auditing\n    standards is the use of questions and criteria that reflect the requirements of\n    GAS and the audit organization\xe2\x80\x99s own policies and procedures and audit\n    environment. Questions tailored to assess the audit environment under review\n    would allow internal and external reviewers to more efficiently document\n    conclusions.\n\n    DCAA has designed and is implementing an internal quality assurance review\n    process intended to meet the goal of an external quality control review. DCAA\n    stated that one of its key goals is to design and perform PCIE-based reviews in\n    such a way that we could place maximum reliance on the reviews and reduce\n    our oversight review effort. For DCAA to meet its goal of implementing an\n    internal quality assurance program so that an external reviewer can place\n    maximum reliance on its work, DCAA should design and perform internal\n    quality assurance reviews that will provide more documentation of the work\n    performed.\n\n\n\nManagement Comments on the Finding and Evaluation\n Response\n    Summaries of management comments on the finding and our evaluation\n    response are in Appendix B.\n\n\n\nRecommendations, Management Comments, and Evaluation\n  Response\n    C. We recommend that the Director, Defense Contract Audit Agency:\n           1. Sufficiently document all auditor conclusions when performing\n    internal quality assurance reviews.\n\n    Management Comments. DCAA nonconcurred, stating that they believe that\n    providing sufficient, meaningful documentation supporting the \xe2\x80\x9cyes\xe2\x80\x9d and \xe2\x80\x9cnot\n    applicable\xe2\x80\x9d answers to the DCAA Checklist questions would have a significant\n    impact on the number of audits that could be reviewed. DCAA is already\n    committing approximately 7 staff-years to the annual performance of its internal\n    quality assurance reviews and does not believe that it is prudent or appropriate\n    to commit any additional resources to the internal review process at this time.\n    Consequently, DCAA believes that any imposed requirement to systematically\n    provide sufficient and meaningful documentation supporting \xe2\x80\x9cyes\xe2\x80\x9d and \xe2\x80\x9cnot\n    applicable\xe2\x80\x9d responses would result in a significant reduction in the number of\n    audits reviewed. In addition, DCAA believes that its policy of only\n    systematically documenting the noncompliances is in line with what other\n    internal (and at least some external) reviewers do.\n                                       42\n\x0cEvaluation Response. We disagree with the DCAA position. DCAA has\n35 auditors assigned to the headquarters Quality Assurance Division, the RQAs,\nand the Field Detachment Quality Assurance Division to evaluate the work of\n4,172 staff conducting 41,722 reviews. During the internal quality assurance\nreview of forward pricing assignments, DCAA reviewed 126 assignments.\nDCAA has adopted the criteria set forth by the PCIE in the PCIE Guide. That\ncriteria requires that, \xe2\x80\x9cWorking papers should be prepared to document the\nwork performed and the conclusions reached during the course of the review.\xe2\x80\x9d\nIn addition, the PCIE Guide states that an organization\xe2\x80\x99s internal quality\nassurance review should gather, \xe2\x80\x9ccompetent evidential matter . . . to determine\nthat the audit organization is in compliance with applicable auditing standards,\npolicies and procedures.\xe2\x80\x9d A \xe2\x80\x9cyes\xe2\x80\x9d answer indicates compliance with the\napplicable standard; however, without sufficient documentation\xe2\x80\x94either a note\nexplaining how the reviewer reached that conclusion or a reference to working\npapers from the assignment file\xe2\x80\x94it is not possible for others to evaluate the\nsufficiency of the DCAA reviewer\xe2\x80\x99s work without independent retesting.\n\nIn addition, we disagree with the contention that DCAA would have to reduce\nthe scope of its review if the DCAA reviewers were required to meaningfully\nand sufficiently document their work. Of the 21 assignments that we retested,\nthe reviewers for 6 documented their \xe2\x80\x9cyes\xe2\x80\x9d and \xe2\x80\x9cnot applicable\xe2\x80\x9d answers. As\nthe DCAA quality assurance program matures and personnel become more\nfamiliar with the DCAA Checklist and the criteria for \xe2\x80\x9cyes,\xe2\x80\x9d \xe2\x80\x9cno,\xe2\x80\x9d and \xe2\x80\x9cnot\napplicable\xe2\x80\x9d answers, the time needed to completely document the review should\ndecrease. DCAA would benefit from fully documenting the \xe2\x80\x9cyes\xe2\x80\x9d and \xe2\x80\x9cnot\napplicable\xe2\x80\x9d answers because that information would increase the value of the\nDCAA quality assurance organization by helping DCAA to better identify best\npractices or process improvements that could be adopted throughout the agency.\nIdentification of such practices is a mandate of the DCAA headquarters Quality\nAssurance Divisions and the RQAs. Also, DCAA stated that one of its goals\nwas for the Inspector General, DoD, to be able to place maximum reliance on\nDCAA work. For us to do that, we need an audit trail from significant findings\nand conclusions discussed in trip reports back to the working papers that support\nthem.\n\nFinally, some internal reviewers may believe that documenting only \xe2\x80\x9cno\xe2\x80\x9d\nanswers is sufficient to satisfy an external reviewer. However, an audit\norganization\xe2\x80\x99s internal quality assurance program performs a different function\nthan an external review of an audit organization. Part of the value of an internal\nreview is the ability of an external reviewer to rely on the results. For the\nexternal reviewer, an internal quality assurance reviewer conclusion that\nauditing standards are met is as significant as a conclusion that standards are not\nmet. DoD Service audit organizations, when conducting external reviews,\ndocumented all of the conclusions as to whether an audit met GAS. We request\nthat DCAA reconsider its position and provide comments to the final report.\n\n\n\n\n                                    43\n\x0c       2. Revise the Defense Contract Audit Agency Checklist to:\n\n               a. Revise question 5.3 on reliability of computer-processed\ndata to cover the field audit office\xe2\x80\x99s knowledge and documentation of the\nreliability and validity of computer-processed data; the auditor\xe2\x80\x99s knowledge\nand documentation of computer-processed data; and the auditor\xe2\x80\x99s\ndetermination and documentation of any decision that computer-processed\ndata is not significant to the audit findings and conclusions as required by\nGovernment Auditing Standard 6.62.\n\n              b. Revise the questions in section 6 relating to internal\ncontrols to cover the field audit office\xe2\x80\x99s knowledge and documentation of\ninternal controls as well as the auditor\xe2\x80\x99s knowledge and documentation.\nManagement Comments. DCAA concurred in part, stating that the DCAA\nheadquarters Quality Assurance Division tried to keep the DCAA Checklist\nquestions as close to what was in the PCIE Guide as possible. However, the\nheadquarters Quality Assurance Division has changed and will continue to\nchange the DCAA Checklist questions and adopt new ones when appropriate.\nWith respect to the 5.3 and section 6 questions, DCAA agreed that the questions\ncould be reworded to address some of the Inspector General, DoD, concerns\nand increase the value and consistency of the answers. At a minimum, for\nfuture PCIE-based quality assurance reviews, DCAA will ensure that its\nreviewers sufficiently explain and/or document why they believe an auditor has\ndemonstrated an adequate understanding of the internal controls, but not\nappropriately documented that understanding. DCAA will also further examine\nthe Inspector General, DoD, proposed changes relating to checklist questions\n6.1.and 6.2 to ensure that the significant data that needs to be captured by these\nquestions is in fact captured.\n\nEvaluation Response. The DCAA comments meet the intent of the\nrecommendations.\n\n       3. Revise the standard audit programs for forward pricing\nassignments to include audit steps addressing assessment of risk due to\nfraud and other illegal acts.\n\nManagement Comments. DCAA concurred, stating that they will review each\nof the forward pricing audit programs to determine where it might best add\nappropriate audit steps or new wording to existing steps to more directly cover\nSAS 82 concerns. DCAA provided draft changes to the audit programs on\nNovember 1, 2001.\n\n       4. Modify DCAA Manual 7640.1, \xe2\x80\x9cDCAA Contract Audit Manual,\xe2\x80\x9d\nand the \xe2\x80\x9cAudit Report Quality Review Sheet for Audit Reports of All\nTypes\xe2\x80\x9d to require that auditors cross-reference all sections of an audit\nreport containing nonstandard language, including the subject, executive\nsummary (significant issues), scope, qualifications, and appendices to\nworking papers, permanent files, or other audit assignments as appropriate.\n\n\n                                    44\n\x0cManagement Comments. DCAA concurred, stating that they would review\nexisting policy and appropriately modify the CAM and the Audit Report Review\nSheet by December 31, 2001.\n\n       5. Establish criteria against which the field audit office can be rated.\n\nManagement Comments. DCAA concurred that they need to establish more\nspecific, written criteria for gauging the overall performance of its FAOs.\n\n\n\n\n                                  45\n\x0cAppendix A. Evaluation Process\n\nScope\n    An audit organization\xe2\x80\x99s internal quality assurance program is an integral part of\n    its overall management control program. We based our review of the DCAA\n    quality assurance program on the GAS standards relating to quality controls, the\n    PCIE \xe2\x80\x9cGuide for Conducting External Quality Control Reviews of the Audit\n    Operations of Offices of Inspector General,\xe2\x80\x9d DCAA strategic plan goals and\n    objectives, and DCAA policies and procedures in force from June 1992 through\n    March 2001. We reviewed the DCAA internal quality assurance program and\n    FY 1999 internal quality assurance review of forward pricing assignments. For\n    the FY 1999 review, we reviewed the FAO and assignment selection process,\n    completed DCAA Checklists and supporting documentation, and all 18 trip\n    reports that DCAA prepared. In addition, we visited 3 FAOs (Silicon Valley\n    Branch Office in California, Lockheed Martin Orlando Resident Office in\n    Florida, and Mid-South Branch Office in Colorado) to retest DCAA work and\n    conclusions. Also, we discussed the internal quality assurance review process\n    with DCAA officials to determine how much reliance we could place on the\n    process when conducting our external quality control review. Further, we\n    reviewed briefing charts presented to the ESC and meeting minutes and action\n    items resulting from ESC meetings and decisions.\n\n    Inspector General, DoD, Oversight Responsibilities. Under Section 8(c)(6),\n    Title 5, U.S.C., Appendix 3, the Inspector General Act of 1978, as amended,\n    the Inspector General, DoD, is responsible for monitoring and evaluating\n    adherence of DoD auditors to internal audit, contract audit, and internal review\n    principles, policies, and procedures. The office within the Inspector General,\n    DoD, responsible for conducting independent oversight reviews of DCAA is the\n    Office of the Assistant Inspector General for Auditing, Deputy Assistant\n    Inspector General for Audit Policy and Oversight. As part of that\n    responsibility, Audit Policy and Oversight evaluates the internal quality\n    assurance reviews performed by the DCAA headquarters Quality Assurance\n    Division and the RQAs. Audit Policy and Oversight uses the PCIE Guide as a\n    tool when conducting oversight reviews of the internal quality assurance\n    reviews.\n\n\n\nMethodology\n    To evaluate the adequacy of the DCAA internal quality assurance program, we\n    reviewed DCAA policies and procedures and interviewed DCAA headquarters\n    quality assurance staff to determine the procedures that have been established to\n    conduct internal quality assurance reviews. To evaluate the results of the\n    FY 1999 internal quality assurance review of forward pricing assignments, we\n    retested DCAA working papers to determine the significant deficiencies that\n                                        46\n\x0c     were found, and we visited 3 (16.7 percent) of the 18 FAOs visited by DCAA\n     and retested 21 (16.7 percent) of the 126 assignments reviewed by DCAA using\n     the same DCAA Checklist that DCAA used when they conducted the initial\n     review. We then compared our results to the DCAA results, identified\n     differences, and determined why the differences occurred.\n\n     Use of Computer-Processed Data. We did not use computer-processed data to\n     perform the evaluation.\n\n     Evaluation Dates and Standards. We conducted this evaluation from\n     August 2000 through March 2001 in accordance with standards issued by the\n     Inspector General, DoD. The project was suspended from May 9, 2001, to\n     September 14, 2001.\n\n     Contacts During the Evaluation. We visited or contacted individuals and\n     organizations within DoD. Further details are available upon request.\n\n\n\nPrior Coverage\n\nInspector General, DoD\n     Report No. D-2000-6-010, \xe2\x80\x9cExternal Quality Control Review of the Defense\n     Contract Audit Agency,\xe2\x80\x9d September 27, 2000\n\n\n\n\n                                      47\n\x0cAppendix B. Management Comments on the\n            Findings and Evaluation Response\n\nFinding A\n    Management Comments on Independent Review of Field Detachment.\n    DCAA stated that the Inspector General, DoD, statement that DCAA did not\n    adequately consider the significance and unique risks associated with the Field\n    Detachment audit work in setting up its quality assurance program are\n    inaccurate in that they ignore one key fact. That one key fact is, although the\n    Field Detachment has less than half the staff and workload of the average\n    DCAA region, the Field Detachment Quality Assurance Division has the same\n    number of staff as each RQA to cover the work. In other words, the Field\n    Detachment Quality Assurance Division has twice the staff to offset and deal\n    with the unique Field Detachment risk factors.\n\n    Evaluation Response on Independent Review of Field Detachment. We\n    disagree with the DCAA position. While having double the staff might offset\n    some of the unique Field Detachment risk factors for regionally directed\n    reviews, having double the staff does not lessen the impact of the lack of\n    independence. If the staff is not independent, then the size of the staff does not\n    matter. The reviewers are not independent when conducting the DCAA\n    headquarters-led quality assurance reviews.\n\n    Management Comments on Required Clearances of Inspector General,\n    DoD, Personnel. DCAA contends that the Inspector General, DoD, statement\n    that its non-cleared reviewers can systematically review unclassified Field\n    Detachment audit assignments is not valid. DCAA disagrees that the Inspector\n    General, DoD, reviewers could be systematically accommodated to routinely\n    gain unrestricted access to DCAA audit working papers even when the working\n    papers and audit assignments themselves are not classified. Such action would\n    significantly and unacceptably increase the risk of security violations and\n    indicates a misunderstanding of procedures for operating in a classified\n    environment. Typically, a mixture of classified and unclassified information is\n    present within the same program. An individual must have the appropriate\n    \xe2\x80\x9cinvestigation\xe2\x80\x9d and be granted the proper \xe2\x80\x9cclearance\xe2\x80\x9d to be given \xe2\x80\x9caccess\xe2\x80\x9d to\n    the program. Jobs exist that require investigation/clearance eligibility based\n    solely on the \xe2\x80\x9cnature\xe2\x80\x9d of the work, and not because the job requires handling of\n    classified information. The nature of the audits conducted by the Field\n    Detachment requires that they be performed in a sensitive compartment\n    information facility (SCIF). Access to the SCIF is limited to individuals having\n    the proper clearances.\n\n    Evaluation Response on Required Clearances of Inspector General, DoD,\n    Personnel. We did not say or intend that uncleared personnel should be\n    systematically accommodated to routinely gain unrestricted access to the DCAA\n    audit working papers. The Inspector General, DoD, reviewers that visited the\n\n                                        48\n\x0cField Detachment FAO to review the seven forward pricing assignments had the\nappropriate security clearances to gain access to the SCIF and to review the\nrequested audit assignment files. The reviewers did not request to review files\nfor which they were not cleared.\n\nManagement Comments on Classification Level of Documentation. DCAA\nstated that, although reviewers work with classified documents, the reviewers\navoid including classified information in their working papers, to the maximum\nextent practicable. Thus, while frequently the working papers are not classified,\nthey typically contain highly sensitive information, such as contractor names,\ncontract numbers, contract amounts, customer names, or organizations.\nIndividually, such data is not classified; however, when certain information is\ncombined with certain other information, the combined information may become\nclassified, and if not specifically classified, that information certainly becomes\nmore sensitive. For example, combining a contractor\xe2\x80\x99s name with a customer\ncan result in a classified document. Accordingly, every precaution possible is\ntaken to avoid even the slightest exposure to a compromise. For that reason, all\nof the assignment folders, classified and unclassified, are maintained in the\nSCIF and only individuals with the proper clearances and special access\nprogram briefings are allowed access to the working papers on a need-to-know\nbasis. Any plans or recommendations that the Inspector General, DoD, may\nhave for reviewing the Field Detachment audit work should be made to fully\ncomply with the secured environment process and should not be dependant upon\nany \xe2\x80\x9cworkarounds\xe2\x80\x9d\xe2\x80\x94so that they can be carried out without the possibility of\njeopardizing security.\n\nEvaluation Response on Classification Level of Documentation. We did not\nrequest that DCAA provide any workarounds to circumvent security\nrequirements associated with classified data during our review of forward\npricing assignments. We only requested access to unclassified data and\nclassified data for which the auditors conducting the evaluation had the\nappropriate clearances. DoD Regulation 5200.1-R, \xe2\x80\x9cInformation Security\nProgram,\xe2\x80\x9d January 14, 1997, identifies the situation described by DCAA as\nclassification by compilation. The regulation requires that:\n           If portions, standing alone, are unclassified, but the document is\n           classified by compilation, mark the portions \xe2\x80\x9c(U)\xe2\x80\x9d and the document\n           and pages with the classification of the compilation. You must also\n           add an explanation of the classification. . . . When a document\n           consisting of individually unclassified items of information is\n           classified by compilation . . . the overall classification shall be\n           marked conspicuously at the top and bottom of each page and the\n           outside of the front and back covers (if there are covers). An\n           explanation of the basis for classification by compilation shall be\n           placed on the face of the document or included in the text.\n\nThe regulation states that classified files, folders, and similar groups of\ndocuments must have clear classification markings on the outside of the folder\nor holder; although, the cover sheets need not be attached when the item is in\nsecure storage. However, that does not alleviate the requirement to specifically\nidentify and appropriately mark documents that are classified. In addition, the\nregulation requires that working papers, defined as \xe2\x80\x9cdocuments and material\n                                      49\n\x0c    accumulated or created in the preparation of finished documents and material,\xe2\x80\x9d\n    containing classified information be marked with the highest classification of\n    any information contained therein. Also, DCAA has expressed concern that,\n    while data may not be classified, it may be sensitive. According to DoD\n    Regulation 5200.1-R, sensitive information is defined by the Computer Security\n    Act of 1987, which applies to unclassified information that deserves protection.\n    The working papers and documents that are sensitive should be appropriately\n    marked.\n\n\n\nFinding C\n    Management Comments on Criteria. DCAA disagreed that they used\n    ill-defined criteria for evaluating audit work. DCAA stated that the reviewers\n    relied on the CAM and other official and well-established sources of DCAA\n    audit guidance (for example, MRDs and DCAA regulations and instructions).\n    The guidance is GAS-based, sufficiently detailed, regularly maintained, and the\n    same guidance used to actually perform the audits. In addition, DCAA has\n    provided the Inspector General, DoD, with all of the DCAA published guidance\n    since about 1988. Detailed references to the appropriate CAM guidance have\n    been incorporated into most of the DCAA Checklist questions. In short, the\n    guidance used was generally more comprehensive than that used by most other\n    internal/external reviewers.\n\n    Evaluation Response on Criteria. We disagree with the DCAA position.\n    While DCAA identified its criteria as the CAM, MRDs, and DCAA regulations\n    and instructions, DCAA did not vet that criteria to identify and prioritize the\n    most important elements to be tested during the internal quality assurance\n    reviews. For example, when we reviewed the criteria that DCAA cited,\n    CAM 5-101, for questions 6.1 and 6.2 on understanding internal controls, we\n    found that the manual referenced CAM 5-102 through CAM 5-1200 for\n    descriptions of requirements and audit guidance. That material encompasses\n    145 pages. In addition, the DCAA Checklist did not include any references to\n    any MRDs or any DCAA regulation or instruction. The guidance to be covered\n    by DCAA during its quality assurance reviews was generally more\n    comprehensive than that covered by most other internal/external reviewers\n    simply because DCAA has issued more official guidance than other Government\n    audit organizations. Therefore, to plan and conduct efficient and effective\n    quality assurance reviews using such voluminous guidance, DCAA needs to\n    identify and use well-defined and specific criteria.\n\n    Management Comments on Cross-Referencing Trip Reports. DCAA\n    disagrees that its trip reports were not adequately cross-referenced to the\n    appropriate documents supporting the findings, including the key working\n    papers of the reviewed audit. DCAA contends that the trip reports were all\n    cross-referenced in detail to both the individual audits reviewed and to the\n    individual DCAA Checklist questions. For each significant issue of\n    noncompliance addressed, the trip report identified all of the corresponding\n    \xe2\x80\x9cno\xe2\x80\x9d answers on each DCAA Checklist and referenced each \xe2\x80\x9cno\xe2\x80\x9d answer to the\n                                          50\n\x0cspecific audit reviewed and DCAA Checklist. The DCAA Checklists, in turn,\nrefer the reader to the particular deficiency in the audit, audit work package,\nand or audit report for which each \xe2\x80\x9cno\xe2\x80\x9d response was recorded.\n\nEvaluation Response on Cross-Referencing Trip Reports. We agree that\neach trip report identified the forward pricing assignment being discussed and\nthe DCAA Checklist question identifying the noncompliance. However, DCAA\ndid not adequately cross-reference significant findings and conclusions in the\ntrip report to the reviewer\xe2\x80\x99s working papers. For example, the trip report for\none assignment at one FAO contained the following explanation as to why the\nreviewer answered \xe2\x80\x9cno\xe2\x80\x9d to DCAA Checklist questions 1.1 and 1.2.\n           The [contractor] IPT [integrated process team] proposed evaluation\n           (A.4 above) was reported as if it were an audit, however, it is evident\n           that an agreed-upon procedure evaluation was actually performed.\n           The customer initially requested an audit and the acknowledgement\n           letter clearly stated that a full audit would be performed. However,\n           during the IPT process, it was agreed that the auditor would review\n           only the proposed rates. The auditor completed the assignment using\n           the standard audit program for an application of agreed-upon\n           procedure review. During our review, the FAO acknowledged that a\n           full audit was not performed and agreed that they should have issued\n           an \xe2\x80\x9cApplication of Agreed-Upon Procedures Report\xe2\x80\x9d. As a result, the\n           review was noncompliant with the reporting standards under GAGAS\n           and Agency policy. For this reason, we marked checklist items 1.1\n           and 1.2 under Due Professional Care, \xe2\x80\x9cNo\xe2\x80\x9d.\n\nHowever, the comment that the DCAA reviewer wrote for DCAA Checklist\nquestions 1.1 and 1.2 was, \xe2\x80\x9cAn agreed-upon procedures review was performed.\nAudit report on evaluation proposal issued.\xe2\x80\x9d The DCAA reviewer\xe2\x80\x99s working\npapers did not include information about agreements made during the integrated\nprocess team process or any memorandums of discussion with FAO personnel\nexcept for the exit conference notes, which did not specifically address this issue\nfor this assignment. DCAA stated that one of its goals was for the Inspector\nGeneral, DoD, to be able to place maximum reliance on DCAA work. For us\nto do that, we need an audit trail from the significant findings and conclusions\ndiscussed in trip reports back to the review documentation that supports them.\n\nManagement Comments on Criteria for Rating System. DCAA stated that\nthey had established a process to rate the level at which FAOs were complying\nwith GAS and DCAA audit policy. DCAA agreed that the process was more\nsubjective than objective and that, in rating the FAOs covered by the internal\nquality assurance review of forward pricing assignments, the reviewers used\nonly two of the available ratings.\n\nEvaluation Response on Criteria for Rating System. DCAA stated that the\nreviewers judgmentally considered and weighted five factors when assigning\nratings to FAOs. DCAA listed the five factors considered in its response.\nHowever, in its March 31, 1999, Microsoft PowerPoint slides that DCAA\nconsidered to be its informal policies and procedures, DCAA made no mention\nof any sort of a rating system they might be considering for use during the\ninternal quality assurance reviews. In addition, the results of the review that the\nDCAA headquarters Quality Assurance Division presented to the ESC in\n                                     51\n\x0cDecember 1999 did not include any sort of criteria that might have been\nconsidered when assigning ratings to FAOs. The first time that any specific,\nwritten criteria for rating FAOs was provided to the Inspector General, DoD,\nwas in the DCAA March 23, 2001, response to a discussion draft of this report.\n\nManagement Comments on Rating System. DCAA expressed concern about\nour assessment of the rating for the FAO and the forward pricing assignment\nthat we described in the report. Specifically, DCAA stated that the forward\npricing assignment referred to was, \xe2\x80\x9cactually a fine example of why good\nreviewer judgement is critical to the PCIE-based review process and analysis of\nits results.\xe2\x80\x9d DCAA explained that the assignment in question was a low-risk\ncost realism review\xe2\x80\x94not a forward pricing assignment. However, the report\nultimately provided the customer with all the information that he wanted and the\ncustomer later communicated his appreciation to the auditor. DCAA stated that,\n\xe2\x80\x9cGiven the difficulty with question 1.1 [due professional care], the\ncircumstances of the audit in question, the good quality of the FAO audit files,\nand the QA [quality assurance] results from the FAO\xe2\x80\x99s six other audits, the QA\nteam applied the criteria above and judged the FAO to be operating at a overall\nat a high level of compliance.\xe2\x80\x9d\n\nEvaluation Response on Rating System. We disagree with the DCAA\nposition. In our example, the report sent to the customer stated that the purpose\nwas to determine whether the proposal was acceptable as a basis for negotiating\na fair and reasonable price. The results section contained the following\nconflicting statements regarding the review of cost or pricing data:\n           The offeror has submitted adequate cost or pricing data. The\n           proposal was prepared in accordance with applicable provisions of\n           FAR [Federal Acquisition Regulation] and DoD FAR Supplement\n           (DFARS). Therefore, we consider the proposal to be acceptable as a\n           basis for negotiation of a fair and reasonable price. . . . In accordance\n           with FAR 15.804-3, the contractor was not required to submit\n           certified cost or pricing data because adequate price competition was\n           anticipated.\xe2\x80\x9d\n\nFor that assignment, the DCAA auditor reviewed only labor and indirect\nrates\xe2\x80\x94the contractor did not provide cost or pricing data. In addition, we found\nno written documentation from the customer supporting the DCAA statement\nthat the customer \xe2\x80\x9ccommunicated his appreciation\xe2\x80\x9d in either the audit\nassignment file or the DCAA reviewer file.\n\nIn addition to the assignment where DCAA determined that due professional\ncare was not met, DCAA determined that the standard did not apply to two\nother assignments at the same FAO (an audit of a price proposal and an audit of\nforward pricing overhead rates for calendar years 1998 through 2002).\nTherefore, for that FAO, DCAA affirmatively found that only four of the seven\nassignments met the due professional care standard. Of those four assignments,\nDCAA determined that the working papers for one did not contain adequate\ndocumentation supporting the recommend rate position. That is, the working\npapers did not contain sufficient, competent, and relevant evidence to support\nthe conclusions in the audit report.\n\n                                         52\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)\n\nOther Defense Organization\nDirector, Defense Contract Audit Agency\n\n\n\n\n                                           53\n\x0c\x0cDefense Contract Audit Agency\nComments\n\n\n\n\n                  55\n\x0cFinal Report\n Reference\n\n\n\n\nPage 9\n\n\n\n\n               56\n\x0c     Final Report\n      Reference\n\n\n\n\n     Pages 26-27\n\n\n\n\n     Pages 26-27\n\n\n\n\n57\n\x0cFinal Report\n Reference\n\n\n\n\nPage 43\n\n\n\n\n               58\n\x0c59\n\x0c60\n\x0c     Final Report\n      Reference\n\n\n\n\n     Page 9\n\n\n\n\n     Page 18\n\n\n\n\n     Appendix B\n     Pages 48-49\n\n\n\n\n61\n\x0cFinal Report\n Reference\n\n\n\n\nAppendix B\nPages 49-50\n\n\n\n\n               62\n\x0c     Final Report\n      Reference\n\n\n\n\n     Pages 12-13\n\n\n\n\n     Page 13\n\n\n\n\n63\n\x0cFinal Report\n Reference\n\n\n\n\nPage 14\n\n\n\n\n               64\n\x0c     Final Report\n      Reference\n\n\n\n\n     Pages 17-18\n\n\n\n\n65\n\x0cFinal Report\n Reference\n\n\n\n\nPages 16-17\n\n\n\n\n               66\n\x0c     Final Report\n      Reference\n\n\n\n\n     Pages 23-24\n\n\n\n\n67\n\x0cFinal Report\n Reference\n\n\n\n\nPage 23\n\n\n\n\nPage 24\n\n\n\n\n               68\n\x0c     Final Report\n      Reference\n\n\n\n\n     Page 24\n\n\n\n\n69\n\x0cFinal Report\n Reference\n\n\n\n\nPage 28\n\n\n\n\n               70\n\x0c     Final Report\n      Reference\n\n\n\n\n     Page 28\n\n\n\n\n     Page 28\n\n\n\n\n     Page 28\xe2\x80\x9330\n\n\n\n\n     Page 29\n\n\n\n\n71\n\x0cFinal Report\n Reference\n\n\n\n\nPage 29-30\n\n\nPage 30\n\n\nPages 28 & 30\n\n\n\n\nPage 43\n\n\n\n\nPage 43\n\n\n\n\n                72\n\x0c     Final Report\n      Reference\n\n\n\n\n     Page 43\n\n\n\n\n     Page 43\n\n\n\n\n73\n\x0cFinal Report\n Reference\n\n\n\n\nPage 30\n\n\n\n\nAppendix B\nPages 50-51\n\n\n\n\n               74\n\x0c     Final Report\n      Reference\n\n\n\n\n     Page 30\n\n\n\n\n     Page 31\n\n\n\n\n75\n\x0cFinal Report\n Reference\n\n\n\n\nAppendix B\nPage 50\n\n\n\n\nPage 32-34\n\n\n\nPage 33\n\n\n\n\n               76\n\x0c     Final Report\n      Reference\n\n\n\n\n     Pages 33-34\n\n\n\n\n77\n\x0cFinal Report\n Reference\n\n\n\n\nPages 34-37\n\n\n\n\n               78\n\x0c     Final Report\n      Reference\n\n\n\n\n     Page 35\n\n\n\n\n79\n\x0cFinal Report\n Reference\n\n\n\n\nPages 40\xe2\x80\x9341\n\n\n\n\n               80\n\x0c     Final Report\n      Reference\n\n\n\n\n     Appendix B\n     Pages 51-52\n\n\n\n\n81\n\x0cFinal Report\n Reference\n\n\n\n\nAppendix B\nPage 52\n\n\n\n\n               82\n\x0c83\n\x0c84\n\x0c85\n\x0cEvaluation Team Members\nThe Audit Policy and Oversight Directorate, Office of the Assistant Inspector General\nfor Auditing, DoD, prepared this report. Personnel of the Office of the Inspector\nGeneral, DoD, who contributed to the report are listed below.\n\nPatricia A. Brannin\nWayne C. Berry\nDiane H. Stetler\nCatherine M. Schneiter\nTed M. Van Why\n\x0c'